In 2024, journalists used Strava’s public Global Heatmap to trace the movements of a French nuclear submarine crew and identify security routines around world leaders, including a sitting U.S. president. None of that required hacking anything. The data was aggregated, de-identified, and entirely within Strava’s own privacy design — and it still revealed exactly what it wasn’t supposed to.
If you’ve searched “Strava heatmap privacy” or wondered whether your “private” fitness activities are actually private, the underlying lesson applies well beyond Strava: aggregated data isn’t the same thing as anonymous data, and the gap between those two ideas is where most location-privacy failures actually happen.
How the Heatmap Is Supposed to Protect You
Strava’s Global Heatmap shows where people run, ride, and exercise, built from activity data shared by users. The system has real privacy safeguards baked in: heat only appears in an area once a minimum number of unique athletes — Strava sets this threshold at five — have recorded activity there within the past year, specifically so a single person’s individual route can’t be isolated from the aggregate.
Users can also opt out of contributing to the de-identified dataset entirely, hide the start and end points of individual activities, and set “privacy zones” — a 200 to 400 meter radius around home or work where activity is hidden from public view, specifically to stop someone from working backward from a running route to a home address.
On paper, this is a thoughtful privacy design: aggregate enough people together, and no single person’s pattern should be extractable.
Where the Aggregation Breaks Down
The submarine and security-detail incidents happened precisely because the aggregation threshold that protects ordinary users can fail in low-population-density contexts.
Small groups defeat the “minimum athletes” protection. The five-athlete threshold works well in a city, where thousands of people run similar routes and no single person’s path stands out. It works far less well on a military base, a remote facility, or anywhere only a small, specific group of people exercises — because in that context, the “aggregate” of five-plus athletes might still represent only soldiers stationed at one specific, sensitive location. The heat pattern reveals the base’s perimeter and internal layout even though no single athlete is individually named.
Patterns reveal identity even without names. A security detail running a consistent loop around a specific residence, at a specific time, repeated daily, creates a heat signature distinct enough that combined with public knowledge of who lives there, the “anonymous” data becomes attributable. The de-identification protects against Strava revealing a name. It does much less against inference from people who already have other context.
Privacy zones only protect what you mark. A privacy zone around your home address does nothing for a workplace, a frequently visited friend’s house, or any other location you haven’t specifically flagged — and most users set up privacy zones once, if at all, and never revisit them as their routines change.
This Pattern Isn’t Unique to Strava
The deeper issue — that aggregated, de-identified data can still leak identifying patterns — shows up anywhere location or behavioral data gets pooled and visualized, not just fitness apps.
Any app with a “heatmap,” “trending,” or “popular near you” feature is running a version of the same tradeoff. The privacy protection depends entirely on the size and diversity of the population being aggregated in any given area, which varies enormously by location and isn’t something the end user can see or verify.
Metadata patterns can re-identify even without GPS. A photo library with consistent timestamp and location metadata, even if no single photo is shared publicly, creates a pattern of where you are and when — the same structural risk as a heatmap, just expressed through a different kind of data.
“We only share aggregated data” is a common reassurance in privacy policies, and it’s not always sufficient. It’s worth treating that phrase as a starting point for questions — how is it aggregated, what’s the minimum group size, does that minimum hold in low-density contexts — rather than as a guarantee that ends the conversation.
What to Actually Check in Strava (or Any Similar App)
If you use Strava or a comparable fitness-tracking app, a few settings are worth auditing directly rather than assuming the defaults protect you:
1. Confirm whether you’re contributing to aggregate datasets. Strava’s setting for this is opt-in for de-identified aggregate contribution — check whether it’s enabled and decide deliberately, rather than leaving whatever the default was when you signed up.
2. Set privacy zones around every location that matters, not just home. Work, a partner’s home, a gym you visit at the same time every week — anywhere a consistent pattern could be attributed to you is worth hiding the start/end point for.
3. Review what’s visible to “Everyone” versus followers. Activities set to public visibility are the ones eligible for inclusion in aggregate, publicly viewable heatmaps in the first place — restricting visibility removes that activity from the pool regardless of other settings.
4. Reconsider live-location sharing during the activity itself, which is a separate feature from the heatmap and carries its own real-time exposure risk if shared broadly.
The Broader Lesson for Anything You Store
The Strava heatmap story is a useful, concrete example of a principle that applies to personal photos and files too: data doesn’t have to be individually identified to be revealing, and “anonymized” or “aggregated” is doing real work as a privacy claim — work that’s worth checking, not just trusting.
This is part of why metadata matters as much as content. A photo’s embedded location and timestamp data, a file’s access pattern, a backup’s upload schedule — none of these are “the photo itself,” but in aggregate they can describe your life with uncomfortable precision, the same way thousands of anonymous running routes described a submarine base’s exact footprint.
A storage provider’s responsibility here is narrower than a fitness app’s — daftei doesn’t build public heatmaps or aggregate your activity for anyone to view, and it doesn’t process your files for any purpose beyond providing the storage itself. Files are encrypted in transit with TLS 1.3 and at rest with AES-256, and daftei doesn’t sell data or share it with third parties for analysis. The aggregation risk that affected Strava users specifically comes from features that compile and visualize user data across a population — a feature daftei doesn’t build, because there’s no advertising or engagement incentive driving it.
Aggregate Isn’t a Magic Word
“We only use aggregated, de-identified data” sounds reassuring, and often it should be — it’s a genuine, meaningful privacy protection compared to sharing raw, individually-identified data. But the submarine and security-detail incidents are a real-world demonstration that the protection has limits tied to population size and context, limits that don’t show up in a privacy policy’s plain-language summary.
The practical habit worth taking from this: when an app explains a privacy protection in terms of aggregation, ask what the minimum group size is and whether it holds in the context you actually care about — your neighborhood, your workplace, your specific routine — not just in the dense urban example used in the marketing.
See how daftei handles your data without building it into anyone else’s heatmap