Our Legal Bases
Effective Date: September 30, 2024
Our Legal Bases for Processing Your Information
Data protection laws (for example, in the EEA or Brazil) require organizations to have legal bases to collect, use, share and otherwise process information about you. While some of your rights apply generally, certain rights only apply depending on the legal bases we rely on to process data. We explain these legal bases below, along with the relevant categories of data processed under this legal basis. To visualize this information in table form, along with relevant business purposes, see Strava’s Privacy Policy. You will also find more information about your legal rights and how to exercise them in that policy.
To provide the Strava Services
As described in Strava’s Privacy Policy, many core Strava Services cannot be provided, and the Terms of Service cannot be performed, without Strava processing data including for the following purposes:
- Interact with other users. For example, we use personal information, including your name, avatar, athlete ID, and content you choose to share to compete on segments, participate in clubs, challenges, or events, follow other users, message other users, and use features that help users interact with one another, such as group activities or Flyby.
- Manage your training. For example, to set goals and use your training dashboard.
- Explore new places to go. For example, to discover routes or segments where you can engage in your activity. Similarly, if several users run a specific route, that information may be used to suggest the route to other users.
- Provide AI Features. For example, we use machine learning or artificial intelligence, including large language models, to detect anomalies on leaderboards, generate route recommendations, or provide personalized training guidance.
- Visualize your activities in new ways. For example, by creating personal heatmaps or using your training log.
- Share insights with the Strava community. For example, by sharing your public reviews and photos of specific routes or segments. We may also analyze your public photos from specific routes or segments to attach characteristics to those routes or segments (such as shaded, waterfalls, flowers).
- To contact you regarding the Services. We use your contact information, which includes name and email address, so we can contact you when needed regarding the Services, for example, to respond to your support requests.
Relevant categories of data processed under this legal basis: a) Identifiers, such as your real name, athlete ID, Internet Protocol (IP) address, email address, and other similar identifiers; b) Payment Information; c) Age, as identified by you; d) Commercial information, such as the record of purchase of your Strava subscription; e) Internet or other electronic network activity information, such as session logs.
With your consent
We ask for your permission to process your information for certain purposes and you have the right to withdraw your consent at any time via your settings. Please note that the withdrawal of your consent will not affect the lawfulness of the processing based on the consent provided before the withdrawal. We ask for your consent to:
- Obtain your geolocation when recording GPS-based activities or when you are using certain map-based features, as well as to use our Beacon safety feature.
- Record your activities.
- Collect or infer health information, which may include information inferred from sources such as heart rate or other indicators. We use your health information to provide you with statistics and visualizations.
- Send you direct marketing emails.
- Collect and process information from third-party products and services, such as Meta or Google, or devices and apps, such as your Garmin watch or Peloton account, that you connect to Strava.
- Access photos, location, and contacts information through your device-based settings so we can provide the services described when you enable the settings.
- Share your data with third party providers for the purpose of targeted advertising.
Relevant categories of data processed under this legal basis: a) Identifiers, such as your real name, athlete ID, Internet Protocol (IP) address, email address, and other similar identifiers; b) Physical characteristics such as height or weight, as indicated by you; c) Gender, as identified by you; d) geolocation data, such as the physical location, direction and speed of your recorded activity; e) biometric information, such as your exercise data to the extent it contains identifying information; f) electronic, visual, or similar information, such as photos.
Legal obligation or for the establishment, exercise or defense of legal claims
We process data where we have a legal obligation to do so, for example, where we're responding to a valid and binding legal process from a law enforcement agency for certain data. See our Privacy Policy, under "Legal Requirements" for more information. We may also collect and process personal information, for example, your date of birth, to comply with regulations that require us to provide additional protections for children.
In addition, processing may be needed for us to establish, exercise or defend civil or criminal claims in connection with actual or potential litigation including to protect the Strava Services, our property or other legal rights, including those of our members, partners, or subsidiaries.
Examples of Irish and other EU members laws that would require us to respond to requests for processing of personal information are as follows:
Regulatory matters - to comply with legal obligations to engage with regulators, such as the Data Protection Commission under the General Data Protection Regulation and the Data Protection Act 2018, and relevant regulators under the Digital Services Act.
Criminal Matters - comply with requests from Irish law enforcement to provide data in relation to an investigation, such as under Section 10 of the Criminal Justice (Miscellaneous Provisions) Act 1997 as amended by 6(1)(a) of the Criminal Justice Act 2006 or to take steps to report information to law enforcement where required.
Consumer and Fair Trade matters - to comply with our obligations under consumer law such as the Competition and Consumer Protection Act 2014 such as where the Irish Competition and Consumer Protection Commission requests information and our obligations under the Digital Services Act.
Corporation and Taxation matters - to comply with our obligations under companies legislation and tax law such as the Companies Act 2014 such as where the Irish Revenue Commissioners request information.
Information Security matters - to implement appropriate technical and organizational security measures, such as under the General Data Protection Regulation.
Relevant categories of data processed under this legal basis: a) Identifiers, such as your real name, athlete ID, Internet Protocol (IP) address, email address, and other similar identifiers; b) Payment Information; c) Age, as identified by you; d) Commercial information, such as the record of purchase of your Strava subscription; e) Internet or other electronic network activity information, such as session logs.
To protect vital interests
We process data where it is necessary to protect an interest which is essential to someone’s life or protect any person from serious bodily injury.
Relevant categories of data processed under this legal basis: a) Identifiers, such as your real name, athlete ID, Internet Protocol (IP) address, email address, and other similar identifiers; b) Payment Information; c) Age, as identified by you; d) Commercial information, such as the record of purchase of your Strava subscription; e) Internet or other electronic network activity information, such as session logs.
Carrying out a task in the public interest
Where set out in EU law or the law in an EU Member State, we may process your data to perform a task in the public interest. This may include protecting against harm and undertaking research for social good. You have the right to object to, and seek restriction of, our processing of your personal information when we process data using this legal basis.
Relevant categories of data processed under this legal basis: a) Identifiers, such as your real name, athlete ID, Internet Protocol (IP) address, email address, and other similar identifiers; b) Payment Information; c) Age, as identified by you; d) Commercial information, such as the record of purchase of your Strava subscription; e) Internet or other electronic network activity information, such as session logs.
In furtherance of legitimate interests
We process your information for our legitimate interests, and those of third parties, while applying appropriate safeguards that protect your privacy, rights and interests. We do this to:
- Enable you to interact with other users by using the Services, such as to compete on segments, participate in clubs, challenges, follow other athletes, message other users, , or use features that group you with other athletes, based on your feature preferences, like group activities or flyby.
- Enable you to visualize your activities in new ways. For example, by creating personal heatmaps or using your training log.
- Customize the Services for you. We may suggest segments, routes/trails, challenges, points of interests, or clubs that may interest you, athletes that you may want to follow, or new features that you may want to try. We rely on our legitimate interest in retaining members when ensuring that we offer new opportunities, such as showing routes or segments of interest to our community, and we may use location information when suggesting such opportunities.
- Maintain our business by conducting research and continuously improving the Services so as to offer innovative and customized offerings to our members and partners.
- Keep the Services safe and secure by using information to prevent or detect violations of our Terms of Service or Community Standards, fraud or abuse, and other harmful or illegal conduct. We may also share information with third parties, including law enforcement agencies for this purpose.
- De-identify and aggregate your information for use by us and our partners. For example, we aggregate information to generate community-powered features like our Global Heatmap, Points of Interest, and Start Points. Our partners may use aggregated information to improve transportation infrastructure, such as for Strava Metro.
- Enable you to contribute to and access community-powered insights. For example, sharing points of interest or public photos from specific routes to provide insights to other users about those places.
- To the extent permitted by law, to market the Services, activities on Strava and other commercial products or services, except for direct marketing emails. As noted above, we would only send direct marketing emails with your consent. For example, our partners may pay us to promote their challenges, products, or services on Strava.
Relevant categories of data processed under this legal basis: a) Identifiers, such as your real name, athlete ID, Internet Protocol (IP) address, email address, and other similar identifiers; b) Payment Information; c) Age, as identified by you; d) Commercial information, such as the record of purchase of your Strava subscription; e) Internet or other electronic network activity information, such as session logs; f) Internet or other electronic network activity information, such as session logs; g) Inferences drawn from any of the above information to create a profile reflecting your preferences, characteristics, behavior, abilities, and aptitudes, such as Relative Effort.
Right to Object
You have the right to object to, and seek restriction of, our processing of your personal information based on legitimate interests. Strava’s lead supervisory authority in the EEA is the Data Protection Commission of Ireland. Visit your privacy controls to object to the processing of your personal information. If you have questions about objections, please contact us at DPO@strava.com.
Changes to This Information
We reserve the right to modify this information at any time. If Strava makes changes to this information, the updated page will be posted on the Services in a timely manner.
How to contact us
Questions or comments about this information, your rights or our disclosures, or requests to appeal a decision made regarding your privacy rights may be submitted by mail or email using the contact information or via https://support.strava.com.
For Non-EU/EEA Data Subjects:
Strava, Inc.
208 Utah Street
San Francisco, CA 94103
USA
Attn: Legal
DPO@strava.com
For EU/EEA Data Subjects:
Strava Ireland Ltd.
c/o MHC, 6th Floor,
South Bank House Barrow Street,
Republic of Ireland, D04TR2
Attn: Legal
DPO@strava.com
© 2024 Strava