Skip to content
Compliance

Compliance is not a cost. It is your selling point.

OXIAE is the operating system for lead generators, built around privacy, consent and provenance. GDPR compliance sits at the core, with a complete audit trail that lets you sell your platform as demonstrably compliant to buyers.

Why compliance is your selling point

In the traditional lead trade, compliance is often an afterthought: leads are bought, resold, and only when a complaint or an audit lands does anyone go looking for the provenance and the consent. That search usually ends in a tangle of loose spreadsheets, screenshots and emails that, together, still fall short of proving a request was processed lawfully. As a lead generator, you carry that risk, towards your buyers, towards regulators and towards your own reputation.

OXIAE reverses that order. Here, compliance is not a document you draft afterwards, but a property built into the infrastructure of the platform itself: compliance by design. The moment a request comes in, your platform immediately captures the provenance, the legal basis and the exact consent text. Not as a tidy intention, but as an immutable part of the record the lead carries with it for the rest of its life.

The difference is fundamental, and sellable. With a by-design approach, you never have to reconstruct anything, because the evidence is already there the moment you need it. A buyer asking where a lead came from, a regulator asking for a legal basis, or a data subject wanting to access their data: in every case you simply pull the audit trail from your own platform. That is not just risk management, it is a reason for buyers to source from you in the first place.

That is why we present compliance not as a checkbox, but as five interlocking pillars you can show buyers under your own brand. Together they form the foundation under every processing step: from the legal basis (GDPR, consent and provenance) to the technology (security, encryption) and the governance (roles and processors). You can explore each pillar further below.

The pillars you sell to buyers

Privacy, consent and control are not separate measures, but the foundation under every processing step on your platform. Click a pillar for the full explanation.

Traditional lead trade vs. your platform with OXIAE

Same process, a completely different starting point. Where the old approach has to prove things after the fact, your platform delivers the evidence up front, to every buyer.

Traditional lead trade
With OXIAE
Provenance is unclear or only reconstructable afterwards from scattered sources.
Provenance (channel, publisher and campaign) is captured at intake and stays traceable.
Consent is an assumption; the exact text is rarely recoverable.
Consent is stored per request, including the text shown and the timestamp.
Retention periods are managed manually or not at all.
Retention periods expire automatically according to policy, per purpose and legal basis.
No coherent audit trail; evidence is spread across people and mailboxes.
One immutable audit trail per request, exportable to buyers at any moment.
Data breach handling starts with days of working out who had what and when.
In a data breach, the scope is immediately visible: which data, which parties, which period.

Demonstrable, not promised

On your platform, compliance is not a statement on paper but a property of the system. Every request carries its own evidence with it: provenance, consent, timestamp and processing status are always traceable and exportable, to your buyers too.

  • Source & provenance: Every lead on your platform is traceable to the channel and the publisher the request came from.
  • Captured consent: Consent is tied to the request and kept verifiable over time.
  • Timestamp: The exact moment of arrival and processing is recorded without gaps.
  • Processing status: The status of every processing step is transparent and demonstrable at any time.
Request record
Verified
ID
A-31762
Source
Publisher portal
Consent
Valid
Captured
12 March 2026
Processing
GDPR-compliant

Privacy by design

Privacy is not an afterthought, but a design choice woven into every step of the platform.

Data minimisation

Only the data that is genuinely needed.

Purpose limitation

Data used solely for the agreed purpose.

Retention periods

Automatically expire according to policy.

Access control

Access by role, right and context.

Compliance in practice

The pillars are not separate promises: they act on every step of the lead lifecycle on your platform, from intake to payout.

01

1. Intake: provenance & consent

On arrival, the platform immediately captures the source, the channel and the consent text. The consent & provenance and GDPR pillars ensure every request already complies at step one.

02

2. Verification: legal basis & quality

The request is checked for a valid legal basis and quality, according to the rules you set for your network.

03

3. Processing: security & roles

Data is stored encrypted and only accessible per role. The security & encryption and roles & processors pillars ensure data is never available more broadly than necessary.

04

4. Payout: audit trail

At matching, acceptance and payout, every step is logged. The audit trail makes the entire lifecycle from intake to payout fully traceable and exportable to your buyers after the fact.

Glossary

The five terms you keep running into around compliant lead generation, explained briefly and without jargon.

Consent
The free, specific and unambiguous permission someone gives to process their data for a particular purpose. In OXIAE, consent is captured at the moment of the request, including the exact text the requester saw. That keeps consent verifiable instead of an assumption, for you and for your buyers.
Legal basis
The legal ground on which personal data may be processed: for lead generation, usually consent. Without a valid legal basis, processing is unlawful, however valuable the lead. Every request on your platform explicitly carries the chosen legal basis with it.
Provenance
The full route a request has travelled: which channel, which publisher and which campaign it came from. Provenance makes it possible to trace a lead back to its source and to address questionable publishers specifically, instead of distrusting your entire network.
Audit trail
An immutable, chronological log of every action performed on a request, from intake and verification to matching and payout. The audit trail is what turns a promise (“we are compliant”) into evidence you can export and show to buyers at any moment.
Processor vs. controller
The controller determines why and how personal data is processed; the processor does so on the controller’s instructions. OXIAE records these roles per party on your platform and links them to processor agreements, so it is always clear who is accountable for what.

Built in, demonstrable, exportable

GDPR Audit trail Consent by design

Frequently asked questions about compliance

The questions lead generators, buyers and partners ask most often about compliance on OXIAE.

Is OXIAE itself a processor or a controller?

That depends on the role in the chain. As a lead generator, you are typically the controller for the requests that run through your platform; OXIAE facilitates the infrastructure. We record the role allocation per party and tie a processor agreement to it, so it is always clear who is accountable for what.

How exactly is consent captured?

At the moment of the request, the platform stores the exact consent text the requester saw, together with the timestamp, the channel and the provenance. Consent is therefore not an assumption but a verifiable fact that is part of the request record, and something you can show to your buyers.

Which legal basis does OXIAE use for lead generation?

For lead generation the usual legal basis is consent. Every request explicitly carries the chosen legal basis with it, so processing never takes place without a lawful basis, however valuable the lead.

What happens in a data breach?

Because provenance, parties involved and processing steps are recorded per request, the scope of an incident is immediately visible: which data, which parties and which period. That shortens handling from days of digging to a targeted, well-founded notification to your buyers and regulator.

How long is data retained?

Retention periods are set per purpose and legal basis and expire automatically according to policy. That prevents data from staying around longer than necessary, without anyone having to monitor it manually.

Can I export the audit trail for an audit?

Yes. The audit trail is an immutable, chronological log of every action on a request and is exportable at any moment. When a buyer, regulator or data subject asks, you simply pull the evidence from your own platform.

Can I use compliance as a selling point towards buyers?

Yes, that is precisely the idea. Because provenance, consent and audit trail are a standard part of every request, you can sell buyers a demonstrably compliant product: not a promise, but an export they can verify themselves.

Does this also apply to leads delivered by AI agents?

Yes. Whether a request comes in via a form, a publisher or an AI agent, the same rules apply: provenance and consent are captured and every step lands in the audit trail. The infrastructure makes no exception based on the source.

Ready to sell compliance instead of defending it?

Book a demo and see how provenance, consent and audit trail make every request on your platform demonstrably compliant.