# Compliance Notes

This platform is intentionally conservative.

## Allowed source modes

1. Public product pages that are accessible without login and not disallowed by robots.txt or terms.
2. Public sitemaps where automated access is permitted.
3. Supplier, partner or retailer CSV/Excel feeds received with permission.
4. Manually supplied copied HTML/text/OCR text.
5. Authorised APIs with written permission.

## Stop conditions

The public fetcher stops and logs a non-success compliance decision when it detects:

- HTTP 401
- HTTP 403
- HTTP 429
- CAPTCHA indicators
- login-wall indicators
- bot-protection indicators
- robots.txt disallowance

## Explicitly prohibited

- private mobile app API scraping
- man-in-the-middle capture of app traffic
- auth bypass
- rate-limit evasion
- proxy rotation to avoid controls
- CAPTCHA solving
- spoofing client certificates, device IDs or app headers
- barcode inference

## Barcode handling

`barcode_or_gtin` is only populated when supplied by:

- a visible public page field
- an authorised data feed
- a supplier/partner file
- a licensed GTIN dataset

Otherwise leave blank and set `barcode_source = not publicly available`.