Privacy Policy

Last updated: April 2026

Short version: this server stores only the tokens needed to call the Strava API on your behalf. No activity data, routes, or health metrics are stored permanently. You can delete your data at any time.

What data is stored

When you connect your Strava account, the following is stored in Cloudflare KV (a key-value store operated by Cloudflare, Inc.):

An OAuth access token issued by this server (used to authenticate your requests to the MCP server)
Your Strava refresh token (used to request fresh Strava access tokens on your behalf)
A cached Strava access token (short-lived, refreshed automatically)
Temporarily: stream data from individual Strava activities, cached for up to 30 days to reduce API calls to Strava. This cache is stored per-user and deleted when you revoke access.

What data is never stored

Your name, email, or Strava profile details
Your activity history, routes, segments, or any other Strava data beyond the short-lived stream cache described above
Any data beyond what is needed to fulfil your requests to Claude

How data is used

Tokens are used solely to call the Strava API in response to your requests made through Claude. No data is shared with third parties, used for analytics, or sold.

This server is a thin pass-through. It does not analyse, process, or store your Strava activity data. All data returned from the Strava API is passed directly to Claude and is not retained.

Data retention

OAuth access tokens: stored for up to 1 year, or until revoked.
Strava access token cache: expires automatically (typically 6 hours).
Stream cache: expires after 30 days per activity, or is deleted immediately on revocation.

Data controller

The data controller for this service is Mike Keefe (privacy@mikekeefe.com). For any privacy-related requests, contact this address or open an issue on GitHub.

Lawful basis for processing

Data is processed on the basis of performance of a contract (Article 6(1)(b) GDPR): storing your tokens is necessary to provide the service you requested — calling the Strava API on your behalf in response to queries made through Claude. Without storing these tokens, the service cannot function.

Your rights under GDPR

If you are in the EEA, UK, or another jurisdiction with similar data protection laws, you have the following rights:

Right of access — you can request a copy of the data held about you. In practice, this is limited to your OAuth tokens (which are opaque values) and, if applicable, temporarily cached stream data. Contact privacy@mikekeefe.com to request this.
Right to erasure — you can delete all data at any time:
- Disconnect the connector in Claude — revokes your token and immediately deletes all associated KV records, including stream cache.
- Revoke access on Strava — go to strava.com/settings/apps and remove this app. Strava notifies this server via webhook and all stored data is deleted within seconds.
Either action alone is sufficient.
Right to data portability — you can request the data held about you in a machine-readable format. Given that the only data stored is token values and ephemeral caches, there is little to port; contact privacy@mikekeefe.com if you need this.
Right to rectification — if any stored data is inaccurate, you can request correction. In practice, token values are system-generated and cannot be corrected independently; revoking and re-authorising will replace them.
Right to object / right to restrict processing — you can object to processing or request that processing is restricted. Because tokens are required for the service to function, the practical effect of exercising this right is that the service cannot be provided and your data will be deleted.

To exercise any of these rights, email privacy@mikekeefe.com or open an issue on GitHub. Requests will be addressed within 30 days.

Right to complain to a supervisory authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a data protection supervisory authority. In the UK this is the Information Commissioner's Office (ICO); in the EU, contact your national data protection authority.

Strava API terms

This application uses the Strava API and complies with the Strava API Agreement. By using this server, you also agree to Strava's terms. This application uses only read-only scopes (read, activity:read_all, profile:read_all) and never modifies your Strava data.

Self-hosted deployments

strava-mcp is open source. If you deploy your own instance, you control all stored data. This privacy policy applies only to instances explicitly operated by the project maintainer. For self-hosted deployments, you are the data controller.

Infrastructure

This server runs on Cloudflare Workers. Token data is stored in Cloudflare KV, which is subject to Cloudflare's privacy policy. Cloudflare may process data in multiple regions.

Observability and logging

Worker-level observability is disabled. No request logs, token values, or response bodies are stored by the server. Standard Cloudflare infrastructure logs (IP addresses, request counts) may be retained by Cloudflare per their own policy.

Contact

For privacy-related requests or questions, open an issue at github.com/mike-keefe/strava-mcp or email privacy@mikekeefe.com.