Fitness app Strava is tightening third-party access to user data

The Strava app is one of the most popular ways for cyclists, runners, hikers, and other distance sports enthusiasts to track their performance and grab some bragging rights. Because most athletic types will have the app installed already—and because it's hard or impossible to run two tracking apps at once—many apps use Strava's API as a go-between for workout data.

Strava emailed its more than 100 million users earlier this week to notify them about "important updates on how Strava data can be displayed, accessed, and used by third-party apps." In the update, Strava noted that third-party apps "are no longer able to display your Strava activity data on their surfaces to other users," that Strava's API data cannot be used "in artificial intelligence models or other similar applications," and that third-party apps must be designed so as to "complement" Strava's look and feel "rather than replicating it."

What does this actually mean? It depends on which apps you're using. DC Rainmaker, a longtime fitness tech blogger, sees the "other users" clause as something that "immediately break[s] almost all coaching apps that have connections to Strava." If an app needs to see your Strava workout to provide insights on performance or connect you to a group, Strava's API seems to block it now. A manager at the training app Intervals posted on the app's official forum that the API change would break Intervals' ability to use Strava as its data source.

Ars Video

“Almost all coaching apps” or “0.1 percent”?

Strava posted "additional context" about its API changes on Tuesday after DC Rainmaker posted his thoughts (and a video). The changes target situations where a user is "unaware that their data is being surfaced not just for their own use and visibility but also to other users," the company said. Users being unaware of how their fitness data is displayed has, for example, led to unintentional disclosure of military facilities.

AI, while having potential, "must be handled responsibly and with a firm focus on user control," and third-party developers may not take "such a deliberate approach," Strava wrote. And the firm expects the API changes will "affect only a small fraction (less than 0.1 percent) of the applications on the Strava platform" and that "the overwhelming majority of existing use cases are still allowed," including coaching platforms "focused on providing feedback to users."

Ars has contacted Strava and will update this post if we receive a response.

DC Rainmaker's post about Strava's changes points out that while the simplest workaround for apps would be to take fitness data directly from users, that's not how fitness devices work. Other than "a Garmin or other big-name device with a proper and well-documented" API, most devices default to Strava as a way to get training data to other apps, wrote Ray Maker, the blogger behind the DC Rainmaker alias.

Beyond day-to-day fitness data, Strava's API agreement now states more precisely that an app cannot process a user's Strava data "in an aggregated or de-identified manner" for the purposes of "analytics, analyses, customer insights generation," or similar uses. Maker writes that the training apps he contacted had been "completely broadsided" by the API shift, having been given 30 days' notice to change their apps.

Strava notes in a post on its forum in the Developers & API section that, per its guidelines, "posts requesting or attempting to have Strava revert business decisions will not be permitted."