My friend just asked me: Does CityStrides collect my Strava friend list?
I read the privacy policy and it says “collects running and walking activities” but doesn’t explicitly list the scopes it doesn’t collect. Could that be improved somewhat? “We don’t collect X, Y, and Z”… (obviously that list could be annoying to maintain, but some folks as you know are really into privacy.
Just a thought!
M.
Yeah, for the exact reason you mention - the effort of maintaining a list of things I don’t collect - I’m not likely to begin that effort. I suppose I can add a paragraph just below the “Data Collection, Usage, and Sharing” title which explicitly states that if it isn’t mentioned in the page then it isn’t collected.
Or perhaps a more technical mention of the scopes used? Link to Strava scopes? I guess I could check this out by … I think re-authenticating in incognito?
Anyway, it’s always icky granting access to other services, so I think it’s worthwhile trying to build confidence in your privacy policy. It probably seems like a waste of time, but that’s because you already trust you 
Ah, for Strava-specific “level of access” info … The connection requires read all access to activities, but that’s clearly and only requested during the login flow.
There are only two scopes presented during login (the screen allowing access to the Strava account):
If both aren’t checked, I kick you back out through the login page.
This is also in the same land of it not making sense to list everything not being asked for - at least, that’s what Strava has also decided … They could have gone the UI route of displaying all possible options with the non-requested options greyed out and un-selectable. Instead they opted to show the checkboxes for the access the apps (CityStrides in this case) do request access to.
Adding to all of this, I need to write a generically accessible privacy page - readers could be using one/some of a various number of different services that may or may not provide similar levels of access. 