Data Collection & Legal Compliance
How TheirStack collects job and company data from publicly available sources, the legal frameworks we operate under (CFAA, GDPR, hiQ Labs ruling), and how individuals can exercise their rights.
This page explains where our data comes from, the principles that govern our collection methods, and the legal frameworks under which we operate.
Disclaimer: This page describes our compliance practices but does not constitute legal advice. For specific legal questions about your use case, please consult your own counsel.
Our principles
1. Public data only
We collect only data that is publicly displayed on the open web, without authentication or paywall. Job postings on public job boards, company career pages, and listings exposed by public Applicant Tracking Systems are designed by their publishers to be visible, indexed, and amplified.
2. We never log in, we never bypass
We never log in to any platform to collect data. We do not use credentials, do not share accounts, and do not bypass authentication, paywalls, CAPTCHAs, or other technical access controls. If a page is gated, we leave it alone.
3. Transformative processing
We do not republish source pages verbatim. Every record is the result of significant transformation: deduplication across sources, company resolution, industry normalization, location standardization, technology and keyword extraction, freshness scoring, and quality checks. See Data workflow.
4. Data minimization
We collect only the fields necessary to describe a job opportunity or a company's hiring activity. We do not store personal contact data such as individual emails or phone numbers.
Legal frameworks
United States — CFAA and the hiQ Labs ruling
The landmark hiQ Labs v. LinkedIn ruling by the U.S. Ninth Circuit (reaffirmed in 2022) confirmed that scraping data publicly accessible without authentication does not violate the Computer Fraud and Abuse Act (CFAA). The court held that information any visitor can see without logging in is not "protected" under the CFAA.
Our collection model is built directly on this principle: no login, no bypass, public data only.
European Union — GDPR
We comply with the General Data Protection Regulation. Detailed practices are documented in our GDPR page and Privacy Policy. Key points:
- Lawful basis: legitimate interest under GDPR Article 6(1)(f) for aggregating publicly available employment market data.
- Data minimization: we collect only the fields publicly displayed on a posting; no personal contact data.
- Transparency: this page, our Privacy Policy, and our GDPR page together describe what we collect and how it is processed.
Individual rights and opt-out
Individuals have the right to access, rectify, or request erasure of any personal data we may hold about them, and may opt out of being included in our datasets at any time.
To exercise any of these rights, contact us through the channels listed in our Privacy Policy, or email hi@theirstack.com. We respond within the timelines required by applicable data protection law.
Further reading
- Terms of Service
- Privacy Policy
- Data Processing Agreement (DPA)
- GDPR
- Subprocessors
- Job data sources
- Data workflow
If you have a specific legal or compliance question not covered here, reach out at hi@theirstack.com.
How is this guide?
Last updated on