Knowledge center for running your lead operation
Running a lead operation stopped being a matter of collecting as many contact details as possible a long time ago. Anyone running a platform for publishers and buyers today needs to be able to show where a request came from, whether there is valid consent, and how the data was processed. In this knowledge center you will find practical articles, in-depth guides and a clear compliance knowledge base: everything to run your operation under your own brand safely and demonstrably.
We write in plain language, not legal jargon. Every resource is meant to help you take a step forward: from a quick definition to a complete checklist you can hold up against your own platform.
Categories
Quickly find the knowledge you are looking for, from practical articles to in-depth documentation. Click a category to jump straight to the right section.
Articles
Practical knowledge about running a lead operation, short and concrete.
View ArticlesGuides
In-depth handbooks for setting up and scaling your platform.
View GuidesCompliance knowledge base
GDPR and provenance explained clearly, without legal jargon.
View Compliance knowledge baseAPI documentation
Everything you need to integrate quickly and securely with your own stack.
View API documentationCases
Results and real-world examples from lead generators running on OXIAE.
View CasesFeatured
The most-read knowledge on consent, provenance and demonstrably running your platform.
Proving provenance: from source channel to audit trail
Record where each lead comes from per request, traceable all the way back to the source.
Read more: Proving provenance: from source channel to audit trailAI agents and compliance: letting requests arrive safely
The same consent, provenance and audit trail, whether the request comes from a human or an AI agent.
Read more: AI agents and compliance: letting requests arrive safelyMeasuring lead quality: from scattered signals to a single score
Which signals predict quality and how to make them measurable in your own platform.
Read more: Measuring lead quality: from scattered signals to a single scoreThe concepts that carry compliance
Before you set up your platform, it helps to have the core concepts clear. Below we explain the six terms that come up in almost every conversation about safely running a lead operation: short, concrete and without legal jargon.
GDPR
The General Data Protection Regulation (GDPR) is the European privacy law that applies the moment you process personal data. For a lead operation that means: a valid legal basis for every processing activity, data minimization and clear agreements on retention and sharing. The GDPR does not prescribe fixed retention periods, but requires that you can justify every choice: something OXIAE records for you by default inside your platform.
Data protection authority principles
Your national data protection authority is the regulator that enforces the GDPR. In its guidance, it explains how principles such as purpose limitation, transparency and demonstrable consent play out in practice. OXIAE is built around those principles, so the operation you run on the platform lines up with what regulators expect.
Bar association rules
If you serve buyers in a legal context, bar association conduct rules apply on top of the GDPR, covering matters such as solicitation and how clients may be approached. Bar-aware lead generation means provenance and consent are recorded in your platform in a way a legal buyer can account for.
Consent
Consent is one of the legal bases under the GDPR and must be freely given, specific, informed and unambiguous. In practice that means: the requester knew what they were consenting to, gave it actively, and can withdraw it. Valid consent is not a checkbox added after the fact, but a demonstrable fact with a timestamp and context, for every request that comes in through your platform.
Provenance
Provenance describes exactly where a lead comes from: the source channel, the campaign or label, the landing page and the time it arrived. Verifiable provenance makes the difference between an anonymous row of data and a request you can trace all the way back to the source. It is the foundation of trust between your publishers and the buyers you serve.
Audit trail
An audit trail is the immutable log of every processing step a request goes through, from intake and consent to matching, routing and payout. Records are never overwritten, only appended. As a result you can reconstruct at any moment what happened to a lead, who received what, and on what basis that was allowed, automatically, for every request that runs through your platform.
Glossary
A quick reference to the terms you will come across in our articles, guides and in the platform. Handy to keep nearby when you are just getting started with running a demonstrable lead operation.
- Lead
- A request or contact from someone with demonstrable interest, accompanied by provenance and consent.
- Controller
- The party that determines the purpose and means of the data processing and bears ultimate responsibility.
- Processor
- The party that processes personal data on behalf of and on the instructions of the controller.
- Data processing agreement
- The legally required agreement between controller and processor on how data is processed.
- Legal basis
- The legal foundation for a processing activity, such as consent or a legitimate interest.
- Data minimization
- The principle that you process no more data than is strictly necessary for the purpose.
- Retention period
- The period during which you may keep data; afterwards it is deleted or anonymized.
- Purpose limitation
- Data may only be used for the purpose for which it was collected.
- Privacy by design
- Privacy is built into a system from the design stage, not added afterwards.
- Routing
- The rule-based distribution of requests to the right buyer within your platform.
Get started: reading paths by phase
Not every lead network is in the same phase. That is why we have mapped out three routes through the knowledge center: pick the phase that fits your platform best and follow the steps in order.
Lead generator getting started
Setting up your first lead operation under your own brand? Make sure consent and provenance are right from day one.
- 1 Start with the guide on recording consent
- 2 Read how to make provenance verifiable
- 3 Review the API documentation for integrations
Growing lead network
Already managing publishers, buyers and routing at scale? Focus on volume without losing control.
- 1 Read the complete compliance checklist
- 2 Review the case on scaling with provenance
- 3 Dive into roles and processor agreements
Lead network in a legal niche
Do you serve buyers in a bar-association context? Then every request has to be justifiable back to the source.
- 1 Start with the explainer on bar rules and consent
- 2 Read what valid consent actually requires
- 3 See how the audit trail underpins your accountability
Practical articles
Short, concrete pieces on the questions that come up most often in practice, from consent and onward delivery to traceable provenance within your platform.
Proving provenance: from source channel to audit trail
Which data to record per request so you can trace where a lead comes from all the way back to the source.
Read on Article · 6 min readMeasuring lead quality: from scattered signals to a single score
Which signals predict quality and how to make them measurable without overcomplicating your process.
Read on Article · 6 min readRecording consent: what the GDPR really asks of you
When is consent valid, and how do you record it verifiably with a timestamp and context?
Read on Article · 5 min readThe compliance knowledge base: GDPR essentials at a glance
All the core concepts around legal basis, transparency and sharing requests with buyers, explained clearly.
Read on Article · 4 min readScaling a lead network with verifiable provenance
How to record source channel, campaign and timing so every lead stays traceable, even at higher volume.
Read onIn-depth guides
More extensive handbooks that walk you through a topic step by step. Ideal to hold up against your own platform and go through together with your team.
AI agents and compliance: letting requests arrive safely
How to let AI agents deliver leads with the same consent, provenance and audit trail as humans.
Read the guide Guide · 8 min readFrom intake to audit trail: the complete compliance checklist
Step by step toward a request you can justify at any moment, from consent to payout.
Read the guide Guide · 7 min readScaling a lead network with verifiable provenance
The practical approach networks use to gain more volume without losing trust.
Read the guide Guide · 6 min readRecording consent: getting roles and processor agreements clear
Who is the controller, who is the processor, and how do you record consent verifiably?
Read the guideWorked example: who is what in the lead chain?
The terms controller and processor cause the most confusion in practice. Yet they determine exactly who carries which obligation once you run a lead operation on OXIAE. Below we place them side by side using a typical lead chain, so you can recognize your own role straight away.
| Aspect | Controller | Processor |
|---|---|---|
| Who determines the purpose? | Decides on its own why and how data is processed. | Processes solely according to the controller’s instructions. |
| Example in the lead chain | The lead network that collects requests on OXIAE and sets the purposes. | The platform that processes, matches and routes on behalf of the network. |
| Legal obligation | Concludes a data processing agreement with every processor. | Adheres to the agreement and does not process for its own purposes. |
| Accountability to the regulator | Bears ultimate responsibility and must be able to justify its choices. | Provides the audit trail and evidence to the controller. |
In short: if you determine the purpose of the processing yourself, you are the controller; if you do it on behalf of someone else, you are the processor. A data processing agreement between the two parties is always required.
Frequently asked questions about running a lead operation
The questions that come up most often around consent, onward delivery, retention periods and roles under the GDPR.
Can I deliver leads onward to buyers under the GDPR?
You can, provided you meet a few conditions. You need a valid legal basis (usually consent), and the requester must have known, when leaving their details, that they would be shared with buyers. Transparency is the key here: state in your consent text and privacy notice which (type of) parties may receive the request. OXIAE records provenance and consent per lead inside your platform, so onward delivery can always be justified.
What is valid consent?
Under the GDPR, consent is only valid if it is freely given, specific, informed and unambiguous. Freely given means without pressure or pre-ticked boxes; specific means for a clearly described purpose; informed means the requester knew what they were signing up for; and unambiguous means an active action, such as ticking a box themselves. In addition, the requester must be able to withdraw their consent as easily as they gave it.
How long may I keep lead data?
The GDPR does not name a fixed period. The guiding principle is data minimization: you keep data no longer than necessary for the purpose for which you collected it. In practice you therefore set a justified retention period per category of data, for example, as long as a request is actively in progress, plus a reasonable period for accountability and disputes. After that you delete or anonymize the data. Record those periods in your platform so you can demonstrate them.
What is the difference between a processor and a controller?
The controller determines why and how personal data is processed: that party bears ultimate responsibility. The processor processes data solely on the instructions of and on behalf of the controller, without determining the purpose itself. As a lead network you are typically the controller for the requests you collect, while OXIAE as a platform fulfills the role of processor. A data processing agreement between the two parties is legally required.
Do I need a data processing agreement?
Yes, as soon as another party processes personal data on your behalf, the GDPR requires a data processing agreement. In it you record which data is processed, for what purpose, for how long, and which security and confidentiality arrangements apply. If you run your lead operation on OXIAE, such an agreement is a standard part of the partnership.
Do I need to be able to demonstrate where a lead comes from?
In practice: yes. Demonstrable provenance is the foundation of trust between your publishers and the buyers you serve, and it is indispensable when the regulator or a buyer asks questions. OXIAE automatically records the source channel, the label or campaign and the time for every request, and keeps that in an immutable audit trail you can consult at any moment.
Do extra rules apply if I serve buyers in a legal context?
Yes. On top of the GDPR, leads that end up with lawyers or other legal service providers are also subject to bar association conduct rules, covering matters such as solicitation and how clients may be approached. That makes demonstrable consent and provenance extra important: the receiving buyer needs to be able to justify how the contact came about. Our knowledge base and guides help you set that up properly in your platform.
How do I get started running a demonstrable lead operation?
Start small and concrete. First make sure you record consent validly and verifiably, and that you know the provenance of every request. Then record retention periods and roles, and arrange the data processing agreements with your partners. Our reading paths by phase above help you get going in the right order, and with a demo we show you how OXIAE delivers those steps as standard inside your own platform.
Read on in the knowledge center
- Compliance knowledge baseGDPR, regulator principles and bar association rules explained clearly, without legal jargon.
- The complete compliance checklistFrom intake to audit trail, justified step by step.
- Recording consent under the GDPRWhen consent is valid and how to record it verifiably.
- View the pricingTransparent pricing for lead networks running their operation on OXIAE.
Ready to make your lead operation demonstrable?
Book a demo and discover how provenance, consent and audit trail come standard in your platform, or log straight in to your environment.