Skip to content

Digital-footprint literacy

Where Companies Get Your Personal Data From

A calm, plain-language map of the everyday moments that hand a company your personal data — what you give directly, what is gathered quietly as you browse, and what arrives from elsewhere — so your own footprint feels understandable rather than mysterious.

In short

Companies get your personal data from three broad places: information you give them directly, such as a sign-up form or purchase; information they observe as you use a site or app, like your device, clicks, and location; and information they obtain from other sources, including public records and other businesses. Most of it is ordinary, not hidden.

Data you give directly

The most familiar source is also the most visible: the details you hand over yourself. Every time you create an account, fill in a form, buy something, book an appointment, enter a competition, or sign up for a newsletter, you are giving a company a piece of personal data. Your name, email address, postal address, phone number, payment details, and date of birth most often arrive this way — knowingly typed in by you.

Some of this you provide because it is genuinely needed to deliver what you asked for; a delivery cannot arrive without an address. Some of it is asked for because it is useful to the company for other reasons, such as marketing or building a clearer picture of who its customers are. The two can look identical on a form, which is why it is worth pausing on fields that are optional rather than required.

Because this category is the one you can actually see, it is the easiest to manage. Choosing not to fill in optional fields, using a separate email address for sign-ups, and reading what a form says it will do with your details are small, calm habits that narrow how much you give away. This is general information, not legal advice.

  • Account sign-ups, purchases, bookings, competitions, and newsletter forms.
  • Typical fields: name, email, address, phone, payment details, date of birth.
  • Optional fields are often the most revealing — and the easiest to skip.

Data observed as you use a service

The second source is quieter. As you browse a website or use an app, the service can record how you interact with it without your typing anything in. This includes technical details about your device and connection — an IP address, browser type, screen size — and behavioural details such as the pages you view, the buttons you click, how long you stay, and sometimes your approximate location. Cookies and similar technologies are common tools for gathering this kind of information.

Many of these technical details are what data-protection law calls online identifiers: things like an IP address or a device identifier that can single you out even without your name attached. They feel impersonal, but combined together they can build a surprisingly specific picture of your habits. This is why two people using the same website can be shown different things — the service is responding to what it has observed about each of them.

You have more influence here than it first appears. Cookie and privacy settings, tracker-blocking, and the controls inside an app's settings let you reduce how much is observed. Where a service relies on your consent for non-essential tracking, you are usually entitled to decline it, and to change your mind later.

  • Device and connection details — IP address, browser, screen size.
  • Behaviour — pages viewed, clicks, time on page, approximate location.
  • Often gathered through cookies and similar technologies, governed by your settings and consent.

Data obtained from other sources

The third source is the least visible because it does not involve you at all in the moment. A company can obtain personal data about you from elsewhere: public records such as the electoral roll or company filings, openly available activity like a public profile or a review you left, and information shared, sold, or licensed between businesses. This is how a company you have never dealt with directly can still hold details about you.

Often this arrives along a chain. Data you once gave to one organisation can, depending on what you agreed to, travel through marketing lists, analytics partnerships, or supplier relationships until it reaches a company you never chose. The information is usually ordinary — an address, a purchase category, a rough estimate of interests — rather than anything dramatic, which is worth remembering when a profile feels uncomfortably knowing.

If you would like to replace guesswork with fact, you can make a Data Subject Access Request (DSAR) — your right under the UK GDPR (Article 15) to ask an organisation for a copy of the personal data it holds about you and where it came from. That is often the clearest way to see which of these three sources a particular company has relied on. This is general information, not legal advice; for a specific concern, consider a qualified adviser or your data-protection authority.

  • Public records — electoral roll, company filings, property and court records.
  • Openly available activity and data shared or licensed between businesses.
  • A DSAR (UK GDPR Article 15) lets you ask a company what it holds and where it came from.

Frequently asked questions

What are the main ways a company can get my personal data?

Three broad ways. First, data you give directly through forms, purchases, and sign-ups. Second, data observed as you use a site or app, such as your device, clicks, and approximate location. Third, data obtained from elsewhere, including public records and other businesses. Most of it is ordinary information rather than anything hidden.

Is data collected through cookies counted as my personal data?

Often, yes. Details like an IP address or a device identifier are what data-protection law calls online identifiers, and they can single you out even without your name attached. When such information relates to you, it is treated as personal data, and non-essential tracking usually relies on your consent, which you can decline or withdraw.

How can a company I have never dealt with have my data?

Usually because the data reached it indirectly. Information you gave to one organisation can, depending on what you agreed to, be shared or licensed along a chain of businesses, and some details come from public records. So a company you never chose may still hold ordinary details about you that travelled through other sources.

Does OSINTA collect or track my data to show me this?

No. OSINTA is self-only and does not watch, track, or scan anyone or anything on your behalf. It helps you understand your own digital footprint from information that is already public, and frame and route your own data-rights requests, with your say-so at every step. It cannot promise removal, because that rests with whoever holds the data.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

See what a company actually holds about you

OSINTA helps you understand your own footprint and frame and route your own rights requests — you stay in control of every step. There is no rush and no pressure.

See the DSAR guideJoin the waitlist