Your Rights and Our Legal Bases
Effective Date: December 11, 2019
European Economic Area Member Rights
Your Rights and How to Exercise Them
If you are habitually located in the European Economic Area ("EEA"), you have the right to access, rectify, download or erase your information, as well as the right to restrict and object to certain processing of your information. While some of these rights apply generally, certain rights apply only in certain limited circumstances. We describe these rights below:
Where we process your information based on our legitimate interests explained below, you can object to this processing in certain circumstances. In such cases, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons.
You can access much of your information by logging into your account. If you require additional access or if you are not a Strava member, contact us at https://support.strava.com. Click here to download a copy of your data.
You can also rectify, restrict, limit or delete much of your information by logging into your account, such as to edit your profile, delete photos you have posted, remove individual activities from view, or delete your account. If you are unable to do this, please contact us at https://support.strava.com. Strava will generally respond to your request within 10-14 business days.
Where you have previously provided your consent, such as to permit us to process health-related data about you, you have the right to withdraw your consent to the processing of your information at any time. For example, you can withdraw your consent by updating your settings. In certain cases, we may continue to process your information after you have withdrawn consent if we have a legal basis to do so or if your withdrawal of consent was limited to certain processing activities.
Should you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority.
European Economic Area Members: Our Legal Bases for Processing Your Information
European data protection law requires organizations to have legal bases to collect, use, share and otherwise process information about you. While some of your rights apply generally, certain rights only apply depending on the legal bases we rely on to process data. We’ve explained these legal bases and your rights below.
As described in the Terms of Service, the core Strava Services cannot be provided, and the Terms of Service cannot be performed, without Strava processing data about you including your location data. Since we process data you provide to us which is necessary to perform our contract with you, you have the right to port or transfer that data if you are habitually resident in the EEA.
We ask for your permission to process your information for certain purposes and you have the right to withdraw your consent at any time. We ask for your consent to:
- Collect or infer health information which may include information inferred from sources such as heart rate or other indicators. We use your health information to provide helpful statistics and visualizations.
- Send you marketing communications.
- Collect and process information from third-party products and services, such as Facebook or Google, or devices and apps, such as your Garmin watch or Flywheel account, which you connect to Strava.
- Access photos, location, and contacts information through your device-based settings so we can provide the services described when you enable the settings.
We process data where it is necessary to protect an interest which is essential to someone’s life or protect any person from serious bodily injury. This includes processing information to combat harmful conduct both on and off of our Services.
Where laid down by EU law or the law in an EU Member State, we may process your data to perform processing in the public interest. This may include protecting against harm and undertaking research for social good. You have the right to object to, and seek restriction of, our processing of your personal data when we process data using this legal basis.
We process your information for our legitimate interests, and those of third parties, while applying appropriate safeguards that protect your privacy, rights and interests. We do this to:
- Market the Services, activities on Strava and other commercial products or services. For example, our partners may pay us to promote their products, services, events, gear or devices on Strava. This is one of the ways we are able to provide the Services on a sustainable basis. We provide you with controls and safeguards, including the ability to object.
- Maintain our business by conducting research and continuously improving the Services so as to offer innovative and customised offerings to our members and partners.
- Convert it into aggregated form for use by us and our partners. Our partners may use this information to improve infrastructure, such as with Strava Metro, or for other commercial purposes including developing useful insights. We also aggregate information to generate our Global Heatmap.
- Keep the Services safe and secure by using information to prevent or detect violations of our Terms of Service, fraud or abuse, and other harmful or illegal conduct. We may also share information with third parties, including law enforcement agencies for this purpose.
- Promote the Services, including email and in-product marketing campaigns to inform you about our Services.
- Encourage users to find new ways to interact, including activities, followers, clubs, challenges, or events. We rely on our legitimate interest in retaining members when ensuring that we offer new opportunities, such as showing routes or segments of interest to our community, and we may use location information when suggesting such opportunities.
California Member Rights
If you are a California resident, as defined in the California Code of Regulations, you have rights under the California Consumer Privacy Act of 2018 ("the CCPA"). Below, we provide a description of your rights and disclosures about your personal information.
Your Rights and How to Exercise Them
The CCPA gives you the right to request that we disclose the specific pieces of personal information we have collected about you, which we do after we receive and validate your request.
Strava does not sell your personal information. However, we may disclose certain personal information for a business purpose. When you make a request to download your personal information, we will include a list of the categories of personal information that we may have disclosed about you, as well as the categories of third parties to whom your personal information may have been disclosed.
You may request these disclosures by clicking here to download a copy of your data.
You have the right to make a free request two times in any 12-month period. We will make the disclosure within 45 days of receiving your request, unless we request an extension. In the event that we reasonably need a 45-day extension, we will notify you of the extension within the initial 45-day period.
You have the right to request that we delete your personal information, subject to certain exceptions. After we receive and validate your request, we will delete your personal information, as well as direct our service providers to delete your personal information, unless an exception applies. Click here to delete your data.
Disclosures About Your Personal Information
We collect the following categories of personal information from you in connection with the Services, as defined in the CCPA. In addition, during the past twelve months, we have disclosed these categories of personal information for a business purpose:
- Identifiers, such as your real name, athlete ID, Internet Protocol address, email address, and other similar identifiers.
- Personal information categories listed in the California Customer Records provisions, including physical characteristics, such as weight, and payment information, such as your credit card number.
- Characteristics of protected classifications under California or federal law, such as your gender and age.
- Commercial information, such as the record of purchase of your Summit membership.
- Biometric information, such as your exercise data.
- Internet or other electronic network activity information, such as session logs.
- Geolocation data, such as the physical location of your recorded activity.
- Electronic, visual, or similar information, such as photos.
- Inferences drawn from any of the above information to create a profile reflecting your preferences, characteristics, behavior, abilities, and aptitudes, such as Relative Effort.
- Publicly available information from government records.
- De-identified or aggregated consumer information.
If you have questions about your rights or our disclosures under the CCPA, you may reach us at DPO@strava.com.
Nevada Member Rights
We do not sell your covered information, as defined by Section 1.6 of Chapter 603A of the Nevada Revised Statutes. If you reside in Nevada, you have the right to submit a request to our designated request address DPO@strava.com regarding the sale of covered information.
Changes to This Information
We reserve the right to modify this information at any time. Please review it occasionally. If Strava makes changes to this information, the updated page will be posted on the Services in a timely manner.
Questions or comments about this information may be submitted by mail to the address below or via https://support.strava.com.
208 Utah Street
San Francisco, CA 94103
© 2019 Strava