Who can legally pull your credit report?
Only someone with a permissible purpose under FCRA Section 1681b: a lender you applied to, an existing creditor reviewing your account, a collector collecting a debt, an insurer underwriting you, an employer with written consent, a landlord processing your application, or anyone you instruct in writing. A pull without permissible purpose violates the FCRA.
The permissible purpose list
Your credit report is not public information. FCRA Section 1681b defines the complete list of reasons someone may access it, and anything outside the list is off limits. The common ones:
- You applied for credit, and the lender is evaluating the application.
- An existing creditor is reviewing your account (a periodic soft pull).
- A debt collector is collecting on an account.
- An insurance company is underwriting a policy you sought.
- An employer is screening you, with your written consent.
- A landlord is processing your rental application.
- You gave written instructions, which is how services like CreditRefresh access your reports.
- A court order or certain government functions require it.
Hard vs. soft access
Permissible purpose governs whether someone may see your file at all. Separately, the type of pull determines score impact: applications create hard inquiries, while account reviews, prescreened offers, employment checks, and your own access (including every pull CreditRefresh runs) are soft and never affect your score.
When a pull crosses the line
Pulling a report without a permissible purpose, like an ex-partner's snooping, a business checking someone with no application in play, or a collector pulling after a debt was resolved, violates the FCRA and can support a lawsuit. The visible symptom is usually a hard inquiry you cannot explain.
What to do about an unexplained inquiry
First rule out the benign explanations: lenders sometimes pull under a parent company's name, and a single auto or mortgage application can generate several inquiries. If it is genuinely unauthorized, it is disputable, and if it is accompanied by accounts you never opened, treat it as identity theft and act on that immediately.
Related articles
A soft pull is a credit check that doesn't affect your score and isn't visible to other lenders — covering things like checking your own credit, pre-approval offers, and the pulls CreditRefresh runs on your reports. A hard pull is a credit check tied to a credit application that does affect your score, usually by a small amount, and stays visible to lenders for two years.
Identity theft happens when someone uses your personal information to open accounts or make purchases in your name. Signs on your report include unfamiliar accounts, hard inquiries you don't recognize, addresses you've never lived at, and collections for debts that aren't yours. Active theft requires filing an FTC report at IdentityTheft.gov, freezing your credit, and disputing fraudulent items.
A credit freeze blocks most new credit applications by preventing lenders from pulling your credit reports. It's free, federally protected, and the strongest single tool against identity-theft-driven new accounts. A freeze affects bureau pulls — including services like CreditRefresh — so frozen reports need to be temporarily thawed for scans and disputes.