--- title: Data Collection & Legal Compliance description: How TheirStack collects job and company data from publicly available sources, the legal frameworks we operate under (CFAA, GDPR, hiQ Labs ruling), and how individuals can exercise their rights. url: https://theirstack.com/en/docs/legal/data-collection --- This page explains where our data comes from, the principles that govern our collection methods, and the legal frameworks under which we operate. > **Disclaimer**: This page describes our compliance practices but does not constitute legal advice. For specific legal questions about your use case, please consult your own counsel. * * * ## Our principles ### 1\. Public data only We collect only data that is **publicly displayed on the open web**, without authentication or paywall. Job postings on public job boards, company career pages, and listings exposed by public Applicant Tracking Systems are designed by their publishers to be visible, indexed, and amplified. ### 2\. We never log in, we never bypass We **never log in** to any platform to collect data. We do not use credentials, do not share accounts, and do not bypass authentication, paywalls, CAPTCHAs, or other technical access controls. If a page is gated, we leave it alone. ### 3\. Transformative processing We do not republish source pages verbatim. Every record is the result of significant transformation: deduplication across sources, company resolution, industry normalization, location standardization, technology and keyword extraction, freshness scoring, and quality checks. See [Data workflow](/en/docs/data/job/data-workflow). ### 4\. Data minimization We collect only the fields necessary to describe a job opportunity or a company's hiring activity. We do **not** store personal [contact data](/en/docs/app/contact-data) such as individual emails or phone numbers. * * * ## Legal frameworks ### United States — CFAA and the hiQ Labs ruling The landmark **hiQ Labs v. LinkedIn** ruling by the U.S. Ninth Circuit (reaffirmed in 2022) confirmed that scraping data **publicly accessible without authentication** does not violate the Computer Fraud and Abuse Act (CFAA). The court held that information any visitor can see without logging in is not "protected" under the CFAA. Our collection model is built directly on this principle: no login, no bypass, public data only. ### European Union — GDPR We comply with the General Data Protection Regulation. Detailed practices are documented in our [GDPR page](/en/docs/legal/gdpr) and [Privacy Policy](/en/docs/legal/privacy-policy). Key points: - **Lawful basis**: legitimate interest under GDPR Article 6(1)(f) for aggregating publicly available employment market data. - **Data minimization**: we collect only the fields publicly displayed on a posting; no personal contact data. - **Transparency**: this page, our Privacy Policy, and our GDPR page together describe what we collect and how it is processed. * * * ## Individual rights and opt-out Individuals have the right to access, rectify, or request erasure of any personal data we may hold about them, and may opt out of being included in our [datasets](/en/docs/datasets) at any time. To exercise any of these rights, contact us through the channels listed in our [Privacy Policy](/en/docs/legal/privacy-policy), or email [hi@theirstack.com](mailto:hi@theirstack.com). We respond within the timelines required by applicable data protection law. * * * ## Further reading - [Terms of Service](/en/docs/legal/terms-and-conditions) - [Privacy Policy](/en/docs/legal/privacy-policy) - [Data Processing Agreement (DPA)](/en/docs/legal/dpa) - [GDPR](/en/docs/legal/gdpr) - [Subprocessors](/en/docs/legal/subprocessors) - [Job data sources](/en/docs/data/job/sources) - [Data workflow](/en/docs/data/job/data-workflow) If you have a specific legal or compliance question not covered here, reach out at [hi@theirstack.com](mailto:hi@theirstack.com).