Skip to content
Knowledge Center

Knowledge center for running your lead operation

Running a lead operation stopped being a matter of collecting as many contact details as possible a long time ago. Anyone running a platform for publishers and buyers today needs to be able to show where a request came from, whether there is valid consent, and how the data was processed. In this knowledge center you will find practical articles, in-depth guides and a clear compliance knowledge base: everything to run your operation under your own brand safely and demonstrably.

We write in plain language, not legal jargon. Every resource is meant to help you take a step forward: from a quick definition to a complete checklist you can hold up against your own platform.

GDPR-compliant EU data residency Full audit trail

Categories

Quickly find the knowledge you are looking for, from practical articles to in-depth documentation. Click a category to jump straight to the right section.

Featured

The most-read knowledge on consent, provenance and demonstrably running your platform.

Article

Proving provenance: from source channel to audit trail

Record where each lead comes from per request, traceable all the way back to the source.

Read more: Proving provenance: from source channel to audit trail
Guide

AI agents and compliance: letting requests arrive safely

The same consent, provenance and audit trail, whether the request comes from a human or an AI agent.

Read more: AI agents and compliance: letting requests arrive safely
Article

Measuring lead quality: from scattered signals to a single score

Which signals predict quality and how to make them measurable in your own platform.

Read more: Measuring lead quality: from scattered signals to a single score
Compliance knowledge base

The concepts that carry compliance

Before you set up your platform, it helps to have the core concepts clear. Below we explain the six terms that come up in almost every conversation about safely running a lead operation: short, concrete and without legal jargon.

GDPR

The General Data Protection Regulation (GDPR) is the European privacy law that applies the moment you process personal data. For a lead operation that means: a valid legal basis for every processing activity, data minimization and clear agreements on retention and sharing. The GDPR does not prescribe fixed retention periods, but requires that you can justify every choice: something OXIAE records for you by default inside your platform.

Data protection authority principles

Your national data protection authority is the regulator that enforces the GDPR. In its guidance, it explains how principles such as purpose limitation, transparency and demonstrable consent play out in practice. OXIAE is built around those principles, so the operation you run on the platform lines up with what regulators expect.

Bar association rules

If you serve buyers in a legal context, bar association conduct rules apply on top of the GDPR, covering matters such as solicitation and how clients may be approached. Bar-aware lead generation means provenance and consent are recorded in your platform in a way a legal buyer can account for.

Consent

Consent is one of the legal bases under the GDPR and must be freely given, specific, informed and unambiguous. In practice that means: the requester knew what they were consenting to, gave it actively, and can withdraw it. Valid consent is not a checkbox added after the fact, but a demonstrable fact with a timestamp and context, for every request that comes in through your platform.

Provenance

Provenance describes exactly where a lead comes from: the source channel, the campaign or label, the landing page and the time it arrived. Verifiable provenance makes the difference between an anonymous row of data and a request you can trace all the way back to the source. It is the foundation of trust between your publishers and the buyers you serve.

Audit trail

An audit trail is the immutable log of every processing step a request goes through, from intake and consent to matching, routing and payout. Records are never overwritten, only appended. As a result you can reconstruct at any moment what happened to a lead, who received what, and on what basis that was allowed, automatically, for every request that runs through your platform.

Glossary

A quick reference to the terms you will come across in our articles, guides and in the platform. Handy to keep nearby when you are just getting started with running a demonstrable lead operation.

Lead
A request or contact from someone with demonstrable interest, accompanied by provenance and consent.
Controller
The party that determines the purpose and means of the data processing and bears ultimate responsibility.
Processor
The party that processes personal data on behalf of and on the instructions of the controller.
Data processing agreement
The legally required agreement between controller and processor on how data is processed.
Legal basis
The legal foundation for a processing activity, such as consent or a legitimate interest.
Data minimization
The principle that you process no more data than is strictly necessary for the purpose.
Retention period
The period during which you may keep data; afterwards it is deleted or anonymized.
Purpose limitation
Data may only be used for the purpose for which it was collected.
Privacy by design
Privacy is built into a system from the design stage, not added afterwards.
Routing
The rule-based distribution of requests to the right buyer within your platform.

Get started: reading paths by phase

Not every lead network is in the same phase. That is why we have mapped out three routes through the knowledge center: pick the phase that fits your platform best and follow the steps in order.

Lead generator getting started

Setting up your first lead operation under your own brand? Make sure consent and provenance are right from day one.

  1. 1 Start with the guide on recording consent
  2. 2 Read how to make provenance verifiable
  3. 3 Review the API documentation for integrations

Growing lead network

Already managing publishers, buyers and routing at scale? Focus on volume without losing control.

  1. 1 Read the complete compliance checklist
  2. 2 Review the case on scaling with provenance
  3. 3 Dive into roles and processor agreements

Lead network in a legal niche

Do you serve buyers in a bar-association context? Then every request has to be justifiable back to the source.

  1. 1 Start with the explainer on bar rules and consent
  2. 2 Read what valid consent actually requires
  3. 3 See how the audit trail underpins your accountability
Articles

Practical articles

Short, concrete pieces on the questions that come up most often in practice, from consent and onward delivery to traceable provenance within your platform.

Worked example: who is what in the lead chain?

The terms controller and processor cause the most confusion in practice. Yet they determine exactly who carries which obligation once you run a lead operation on OXIAE. Below we place them side by side using a typical lead chain, so you can recognize your own role straight away.

Aspect Controller Processor
Who determines the purpose? Decides on its own why and how data is processed. Processes solely according to the controller’s instructions.
Example in the lead chain The lead network that collects requests on OXIAE and sets the purposes. The platform that processes, matches and routes on behalf of the network.
Legal obligation Concludes a data processing agreement with every processor. Adheres to the agreement and does not process for its own purposes.
Accountability to the regulator Bears ultimate responsibility and must be able to justify its choices. Provides the audit trail and evidence to the controller.

In short: if you determine the purpose of the processing yourself, you are the controller; if you do it on behalf of someone else, you are the processor. A data processing agreement between the two parties is always required.

Frequently asked questions about running a lead operation

The questions that come up most often around consent, onward delivery, retention periods and roles under the GDPR.

Can I deliver leads onward to buyers under the GDPR?

You can, provided you meet a few conditions. You need a valid legal basis (usually consent), and the requester must have known, when leaving their details, that they would be shared with buyers. Transparency is the key here: state in your consent text and privacy notice which (type of) parties may receive the request. OXIAE records provenance and consent per lead inside your platform, so onward delivery can always be justified.

What is valid consent?

Under the GDPR, consent is only valid if it is freely given, specific, informed and unambiguous. Freely given means without pressure or pre-ticked boxes; specific means for a clearly described purpose; informed means the requester knew what they were signing up for; and unambiguous means an active action, such as ticking a box themselves. In addition, the requester must be able to withdraw their consent as easily as they gave it.

How long may I keep lead data?

The GDPR does not name a fixed period. The guiding principle is data minimization: you keep data no longer than necessary for the purpose for which you collected it. In practice you therefore set a justified retention period per category of data, for example, as long as a request is actively in progress, plus a reasonable period for accountability and disputes. After that you delete or anonymize the data. Record those periods in your platform so you can demonstrate them.

What is the difference between a processor and a controller?

The controller determines why and how personal data is processed: that party bears ultimate responsibility. The processor processes data solely on the instructions of and on behalf of the controller, without determining the purpose itself. As a lead network you are typically the controller for the requests you collect, while OXIAE as a platform fulfills the role of processor. A data processing agreement between the two parties is legally required.

Do I need a data processing agreement?

Yes, as soon as another party processes personal data on your behalf, the GDPR requires a data processing agreement. In it you record which data is processed, for what purpose, for how long, and which security and confidentiality arrangements apply. If you run your lead operation on OXIAE, such an agreement is a standard part of the partnership.

Do I need to be able to demonstrate where a lead comes from?

In practice: yes. Demonstrable provenance is the foundation of trust between your publishers and the buyers you serve, and it is indispensable when the regulator or a buyer asks questions. OXIAE automatically records the source channel, the label or campaign and the time for every request, and keeps that in an immutable audit trail you can consult at any moment.

Do extra rules apply if I serve buyers in a legal context?

Yes. On top of the GDPR, leads that end up with lawyers or other legal service providers are also subject to bar association conduct rules, covering matters such as solicitation and how clients may be approached. That makes demonstrable consent and provenance extra important: the receiving buyer needs to be able to justify how the contact came about. Our knowledge base and guides help you set that up properly in your platform.

How do I get started running a demonstrable lead operation?

Start small and concrete. First make sure you record consent validly and verifiably, and that you know the provenance of every request. Then record retention periods and roles, and arrange the data processing agreements with your partners. Our reading paths by phase above help you get going in the right order, and with a demo we show you how OXIAE delivers those steps as standard inside your own platform.

Ready to make your lead operation demonstrable?

Book a demo and discover how provenance, consent and audit trail come standard in your platform, or log straight in to your environment.