Over the weekend, news broke that data from the fitness-tracking app Strava was revealing information on clandestine locations. The map was so detailed that it revealed paths on military bases.

While broadcasting your whereabouts is a bad security policy, users likely weren’t aware that their information would be available in this much detail. A scroll through the Strava app also shows it takes some dedicated digging to find the opt-out for the heat map specifically, in a frustrating move for people who are vigilant about tracking.

Strava, which lets users show off their running and cycling routes, offers privacy control options, as similar location-tracking apps do. But the company has been criticized in the past for not making it clear how to tweak those options, or what they entail. In August, for example, Quartz found that an “enhanced privacy” option may not provide as much privacy as some would hope: users’ routes showed up on public “leaderboards” while the setting was on.

Unfortunately for users in sensitive areas, it’s not seamlessly easy to opt out of the heat map, either. While the company does provide an opt-out box specifically for data used in the map, you may have difficulty finding it from the mobile app.

On the web, it’s fairly straightforward. Under settings, there’s a privacy tab that shows this box:

The service’s mobile apps don’t have a dedicated option but provide circuitous routes to the web option.

For iOS users, there is no immediately visible option for the heat map. To find it, users have to navigate to settings, then the privacy dashboard, where they are presented with various switches controlling the sharing of data. At the bottom of the page, in small text, they can find a link to “further customize” privacy options. That will bring them to the web version of the service, where they can opt out of the heat map.

Android is even more challenging. From the privacy dashboard in the app, users have to select “learn more,” then “learn more” on a second page, and finally click the “personal settings page,” which brings them back to the web version of privacy settings.

Without a dedicated box in the app, it’s not unreasonable to think Strava users might never see the opt-out option, and instead stop at the first screen. Even now, when users may be actively looking for the setting, it’s not easy to spot.

There does appear to be one option within the app to keep your activities off of the heat map, but it’s not clearly labeled. In a statement yesterday, a Strava spokesperson said the heat map excludes private activities, and activities in “user-defined privacy zones.” The app includes an option, beneath the “Enhanced Privacy” setting, to set all future activities as “private by default,” although it doesn’t mention the heat map.

Strava also allows users on the web to set individual activities as private after the fact and to mark certain areas as private, but you have to reach the same webpage where the heat map opt-out box is available. (The map does not directly identify users, but the map is built from data set to “public,” and it’s possible to view individual, public exercises on the app.)

Strava has incentive to encourage sharing: the company has billed itself as the social network for athletes. But that goal may not always align with users who not only want, but need, obvious privacy controls. The Department of Defense today urged personnel to use privacy settings, but that advice won’t help much if it’s not clear how to make the change.

In the statement released yesterday, the company defended its practices. “We are committed to helping people better understand our settings to give them control over what they share,” the spokesperson said.

Update, January 30, 3:16 PM ET: Further clarifies what kinds of data are used in the map and the app.