Running App Privacy: What Your GPS Data Reveals and How to Protect It

In January 2018, a fitness tracking company called Strava published a global heatmap — a beautiful visualization of every GPS route its 76 million users had ever logged. Runners, cyclists, hikers, all contributing their movements to one massive dataset.

Within days, military analysts noticed something the company hadn’t anticipated. The heatmap was lighting up the outlines of secret military bases in Afghanistan, Iraq, and Syria. Soldiers using Strava on their phones had unknowingly traced the perimeters of classified installations, patrol routes, and even the internal layouts of buildings. The data was public. Anyone could see it.

That was bad enough. Then it got worse.

In 2023, researchers demonstrated that Strava’s data could be used to track specific individuals — including a Russian submarine commander whose jogging routes near a naval base were visible to anyone who knew where to look. His daily habits, his home location, his schedule — all of it was being broadcast by his running app.

These aren’t edge cases. They’re the logical outcome of what happens when millions of people share precise GPS data without understanding what they’re giving away.

I co-lead a running club in Oakville, Ontario. Over the past few years, I’ve watched club members — good, smart people — unknowingly broadcast their home addresses, daily schedules, and running routes to the entire internet through their running apps. Most had no idea their data was public. Some didn’t even know their app had a social component.

This article is for them. And for you, if you’ve ever wondered what your running app actually knows about you.

What Your Running App Actually Knows About You

Most runners think of their app as a simple stopwatch with a map. Start a run, get your pace, see the route. That’s the visible part. Behind the screen, the data collection goes much further.

GPS location data — Your app records your precise coordinates every few seconds throughout every run. Over time, this creates an extremely detailed picture of where you go. Every route you’ve ever run, timestamped.

Home and work addresses — You probably start most of your runs from home. Maybe some from work, or from a friend’s house. Your app doesn’t need you to enter your address. It figures it out from the pattern of where your runs begin and end.

Your daily schedule — Run at 6 AM every Tuesday and Thursday? Your app knows that. It knows when you’re away from home, when you’re likely to be on a predictable route, and when your house is empty.

Health and body data — Heart rate, cadence, stride length, VO2 max estimates, weight, height, age, resting heart rate. If your app connects to a smartwatch or heart rate monitor, it’s collecting biometric data that reveals a lot about your physical condition.

Social connections — Who you run with, who follows you, who you interact with. Apps with social features build a graph of your relationships.

Device information — Your phone model, operating system, carrier, and often a unique device identifier that can be used to track you across apps and services.

Running surface and terrain — Elevation data, pace variations, and GPS patterns can reveal whether you’re running on roads, trails, treadmills, or tracks.

Put it all together and your running app has a profile of you that most people would find uncomfortable: where you live, where you work, your physical fitness level, your daily routine, your social circle, and years of location history.

The Privacy Policies Most Runners Never Read

I’ve read the privacy policies of the major running apps so you don’t have to. Here’s what they actually say — not the marketing version, but the legal version.

Strava

Strava is social by default. When you create an account, your profile, activities, and routes are public unless you manually change your settings. Your data is shared with third-party partners for analytics and advertising. Strava’s business model depends on aggregating user data — the Metro product sells movement data to city planners and transportation agencies.

Strava retains your data even after you delete your account (in anonymized form for their aggregate products). The Kaspersky analysis of running app privacy found that Strava collects significantly more data points than most users realize, and that the default sharing settings expose far more information than necessary for the app to function.

The Flyby feature — which shows you other Strava users who were near you during your run — has been flagged repeatedly as a stalking risk. Strava made it opt-in after pressure, but it existed as opt-out for years.

Nike Run Club

Nike Run Club requires a Nike account, which ties your running data to Nike’s broader marketing ecosystem. Your data can be used for personalized advertising across Nike’s platforms. Nike’s privacy policy allows them to share data with “Nike family of companies” and third-party partners.

The app collects device identifiers that allow cross-platform tracking. If you use a Nike account for shopping and running, those profiles are linked. Your running habits inform what products Nike markets to you.

MapMyRun (Under Armour)

MapMyRun is owned by Under Armour. In 2018, Under Armour’s MyFitnessPal platform suffered a data breach affecting 150 million accounts. While MapMyRun wasn’t directly breached, the incident highlighted the risk of having fitness data stored in a corporate ecosystem that’s a high-value target for attackers.

MapMyRun shares data with Under Armour’s advertising partners. Routes are social by default. The app collects audio data if you use the voice coaching feature.

Runkeeper (ASICS)

Runkeeper was acquired by ASICS in 2016. Your running data is now part of ASICS’s consumer data platform. The privacy policy permits sharing with ASICS affiliates and third-party service providers. Runkeeper collects precise location data, health metrics, and device information.

Like the others, Runkeeper’s social features default to sharing your activities.

The Pattern

Every major running app follows the same model: collect as much data as possible, default to public sharing, and monetize the aggregate data through advertising, partnerships, or product sales. The app is free because you’re the product.

Real Risks: 5 Ways Your Running Data Can Be Used Against You

This isn’t theoretical. These are documented, real-world scenarios.

1. Home Location Exposure

If your runs start and end at the same point, anyone who can see your activities knows where you live. Strava’s privacy zones (which hide the start and end of your runs within a set radius) help — but researchers have shown that with enough data points, the hidden location can be reverse-engineered by triangulating the edges of the privacy zone.

I’ve personally seen this in our running club. A member was startled when a stranger on Strava commented on their run and referenced their neighborhood by name. The stranger had simply looked at where the runs started on the map.

2. Daily Routine Tracking

Your running schedule reveals when you leave your house, how long you’re gone, and which routes you take. For someone with bad intentions, this is a surveillance log you’re voluntarily publishing. Burglars have used social media check-ins to identify when homes are empty. Running data is even more precise.

3. Health Data Profiling

Your heart rate patterns, pace trends, and activity levels paint a detailed picture of your physical health. This data is valuable to insurance companies, employers, and data brokers. While current regulations limit some of this, the data exists in corporate databases that can be breached, subpoenaed, or sold during acquisitions.

Health data collected by fitness apps is generally not protected by HIPAA in the US or PHIPA in Canada — those laws apply to healthcare providers, not app companies. Your running app has fewer legal obligations to protect your health data than your doctor’s office does.

4. Social Graph Exploitation

If your app shows who you run with, it reveals your social connections and physical meetup locations. Combined with public profiles, this creates a relationship map that can be used for targeted phishing, social engineering, or harassment.

5. Data Breach Exposure

Under Armour’s 2018 breach exposed 150 million accounts. Strava’s heatmap incident exposed military locations. The more data a company collects, the more damaging a breach becomes. Your running history from 2019 is still sitting on servers somewhere, protected by whatever security practices that company had five years ago.

How to Lock Down Your Current Running App

Even if you’re not ready to switch apps, you can significantly reduce your exposure right now. Here are specific steps for the most popular apps.

Strava Privacy Settings

1. Set your profile to “Followers Only” — Go to Settings > Privacy Controls > Profile Page. Change from “Everyone” to “Followers.”

2. Set activities to “Followers Only” or “Only You” — Settings > Privacy Controls > Activities. “Everyone” means anyone on the internet can see your routes.

3. Enable a Privacy Zone — Settings > Privacy Controls > Map Visibility > Hide Activity Start and End Points. Set zones around your home and work. Use the maximum radius available (roughly 1 km). Be aware this isn’t foolproof — set multiple zones if you have predictable alternate start points.

4. Disable Flyby — Settings > Privacy Controls > Flyby. Set to “No One.” This prevents strangers from seeing that you were near them during a run.

5. Review third-party app connections — Settings > Apps. Revoke access for anything you don’t actively use.

6. Disable Local Legends and Segment visibility — If you don’t want people knowing which segments you frequent.

7. Consider requesting your data archive — Strava lets you download all your data. Do it. Then decide how much of it you’re comfortable with a company storing indefinitely.

Nike Run Club

1. Go to your Nike account privacy settings (on nike.com, not just the app)
2. Opt out of personalized advertising
3. Limit data sharing with Nike partners
4. Review connected devices and revoke unused ones

General Tips for Any Running App

• Turn off social sharing — If the app has a social component, disable it unless you specifically want it.
• Don’t connect unnecessary accounts — Every connected service (Facebook, Google, Instagram) extends who has access to your data.
• Use a privacy-focused email — If the app requires an account, don’t use your primary email.
• Review permissions — Does your running app really need access to your contacts, microphone, or photos?
• Disable background location — Set location access to “While Using” instead of “Always” in your phone’s settings.

The Privacy-First Alternative

When we built RunMate Pro, we started from a different premise: what if a running app collected only the data it needs to function, stored it on your device, and never asked you to create an account?

That’s not a marketing angle. It’s an architectural decision we made before writing the first line of code.

No account required. You don’t enter an email, pick a username, or create a password. There’s nothing to breach because we don’t have your information.

No social features. No followers, no public profiles, no activity feed. There’s no way for a stranger — or anyone — to see your runs through RunMate Pro. We wrote about why we made that decision separately.

Local data storage. Your runs, routes, shoe data, and stats stay on your device. We don’t upload them to a server. We don’t aggregate them. We don’t sell them.

Optional Apple HealthKit sync only. If you want your runs reflected in Apple Health, you can enable it. If you don’t, nothing leaves the app. HealthKit data stays on your device and in your encrypted iCloud backup — Apple doesn’t have access to it either.

No GPS data leaves your phone. Your routes are recorded, stored, and displayed locally. There’s no heatmap, no route sharing, no uploaded GPX files.

This means RunMate Pro can’t do some things that other apps do. We can’t show you a social feed. We can’t compare your runs to other users. We can’t sell your movement data to city planners.

We’re fine with that. We built RunMate Pro to be a running tool, not a social platform. You can see all the details on our features page or check the FAQ if you have specific questions.

Privacy Comparison: Running Apps Side by Side

Here’s what each app collects and how it handles your data:

Data Point	Strava	Nike Run Club	MapMyRun	Runkeeper	RunMate Pro
Account required	Yes (email)	Yes (Nike ID)	Yes (email)	Yes (email)	No
GPS routes stored on server	Yes	Yes	Yes	Yes	No (device only)
Social/public profile	Yes (default public)	Limited	Yes (default public)	Yes	None
Data shared with third parties	Yes	Yes (Nike partners)	Yes (UA partners)	Yes (ASICS)	No
Advertising/profiling	Yes	Yes	Yes	Yes	No
Home location inferrable	Yes (unless privacy zones set)	Yes	Yes	Yes	No (no server upload)
Health data collected	HR, weight, VO2 max	HR, weight	HR, weight, nutrition	HR, weight	Optional HealthKit only
Data survives account deletion	Yes (anonymized)	Unclear	Unclear	Unclear	N/A (no account)
Past data breaches	Heatmap incident (2018)	None major	UA breach (150M accounts, 2018)	None major	N/A (no server data)

Frequently Asked Questions

Is Strava safe to use if I set everything to private?

Strava with locked-down privacy settings is significantly better than default Strava. But your data is still stored on Strava’s servers, still subject to their data retention policies, and still potentially exposed in a breach. Privacy zones help with home location, but they’re not bulletproof. If you like Strava’s features, absolutely use the privacy settings — the steps above make a real difference. Just understand the limitations.

Can running apps sell my health data?

In most jurisdictions, yes. Fitness app data is generally not covered by healthcare privacy laws like HIPAA (US) or PHIPA (Canada). App companies can use and share your health-related data according to their privacy policy — and most policies are written to allow broad sharing with partners and affiliates. Read yours carefully.

Does RunMate Pro need an internet connection?

GPS tracking requires an internet connection for location and map data. However, your run history, shoe data, and the Runner’s Guide injury prevention content are all stored locally on your device — accessible anytime. No account or cloud sync needed. Download RunMate Pro and try it.

What happens to my data if I delete RunMate Pro?

When you delete the app, your data is deleted. There’s no server copy, no backup we maintain, no anonymized dataset we keep for analytics. It’s gone. If you’ve enabled HealthKit sync, your run data in Apple Health remains (managed by Apple, under Apple’s privacy policies), but that’s Apple’s system, not ours.

How do I hide my home location on Strava?

Go to Settings > Privacy Controls > Map Visibility. Enable “Hide Activity Start and End Points” and add your home address as a privacy zone. Set the radius to the maximum available. Consider adding zones for work and any other frequent start points. Keep in mind this only hides the map — metadata like elapsed time and distance still starts from your actual location. For maximum protection, start your Strava recording a block or two away from home.

Your Data, Your Choice

I’m not here to tell you to delete Strava. Millions of runners love it, and if the social features motivate you, that has real value. What I am saying is: know what you’re sharing, make it a conscious choice, and lock down the settings you can control.

If you want a running app that eliminates these concerns entirely — no account, no server, no social, no data collection — RunMate Pro was built specifically for that. We track your runs, manage your shoe mileage, and give you injury prevention tools without knowing your name, your email, or where you live.

Your running data should be as private as your run itself. Nobody watches you run at 6 AM. Your app shouldn’t be broadcasting it either.

Download RunMate Pro free on the App Store — no account, no email, no tracking. Just running.

You can also review our privacy policy to see exactly what we do and don’t collect. It’s short. On purpose.