Consent and provenance, with every request
As a lead generator, you run on trust: from regulators, from buyers and from the people behind every request. That is why OXIAE does not record consent and provenance after the fact, but at the moment a request enters your platform, so every lead you deliver carries its own proof, under your brand.
Last updated: 1 June 2026
Under the GDPR, consent is not a checkbox but a state you, as a lead generator, must be able to demonstrate at any moment. A lead with “agreed” in a field says little if you do not know which text the data subject saw, when the agreement was given and through which channel the request came in. It is precisely that context that makes the difference between consent that holds up with a buyer or a regulator, and consent you have to substantiate after the fact.
That is why the platform records the entire context of a request at the moment itself, automatically, for every publisher and every form in your network. Not a summary, but the building blocks that valid consent is made of: the text shown, the form version, the timestamp, the channel, the publisher and the legal basis. On this page you can read what makes consent valid, what OXIAE records exactly, how a data subject withdraws consent, and how you can trace the provenance of every lead.
The lifecycle of consent
Five steps every consent in your platform goes through, from the moment of asking to the moment of exporting.
Requested
Consent is explicitly requested the moment the request is filled in on your form.
Recorded
Legal basis, text and agreement are registered by the platform immediately, not reconstructed afterwards.
Linked to the request
The consent stays inseparably tied to the request it belongs to.
Traceable
Source, timestamp and legal basis can be found and verified by you at any moment.
Exportable
You retrieve the full context and export it the moment you need it.
What makes consent valid
The GDPR sets four conditions for valid consent. They all apply at once: if even one is missing, the consent is contestable. OXIAE enforces each of the four at the moment of intake, on every form in your network.
1. Freely given
The data subject must have a genuine choice, without pressure or adverse consequences.
At OXIAE: The platform enforces that the consent checkbox on your forms is never pre-ticked and never required in order to submit. Consent and submission are separate actions.
2. Specific
Consent only applies to the purpose for which it was requested, not to everything at once.
At OXIAE: Per form you record the concrete purpose: which buyer, which type of offer. A single blanket checkbox for “everything” is refused; each purpose gets its own, traceable legal basis.
3. Informed
The data subject knows who the processor is, what the data is used for and to whom it is passed on.
At OXIAE: The exact consent text shown and the version of the form are recorded together with the request. That way you can later demonstrate exactly which information the data subject saw at that moment, under your brand.
4. Unambiguous
Consent requires a clear, active action: no silence or pre-filled choices.
At OXIAE: Only a deliberate, active click counts as agreement. That agreement is recorded with timestamp and channel, so there is no doubt for you whether, and when, consent was given.
Recorded, not reconstructed
The difference is in the moment. Anyone who only tries to substantiate consent afterwards is filling in gaps. The platform records source, legal basis and timestamp at the moment itself, so every request that comes in under your brand carries its own proof — kept in your audit trail and stored securely.
- Source verified: The channel and the publisher the request came from are checked and recorded by the platform.
- Legal basis recorded: The legal basis for processing is registered at the moment of intake, under your brand.
- Timestamp & traceability: The exact moment of consent is conclusively preserved and stays traceable for you.
- Source
- Publisher portal
- Legal basis
- Consent (GDPR)
- Recorded
- 12 March 2026, 14:02
- Status
- Valid
- Traceable
- Yes
Illustrative example, not actual data.
What exactly is recorded
A consent record is more than a yes or no. The platform keeps the full context you need to demonstrate consent: six elements that together form the proof, for every request in your network.
Consent text as shown
The full text the data subject saw at the moment of agreement, preserved verbatim.
Form version
The version number of the form, so that later changes never cloud your burden of proof.
Timestamp
Date and time of the agreement, accurate to the second and not editable.
Channel & source
Which channel, which landing page and which campaign the request came in through.
Publisher ID
The verified publisher in your network that delivered the request.
Legal basis
The legal basis for processing, linked to the specific purpose.
Withdrawing consent
Withdrawing consent should be just as easy as giving it. What happens in your platform the moment a data subject withdraws their consent, both with the lead and with onward delivery to buyers, is fully arranged and traceable.
Data subject submits a request
A data subject withdraws consent via the unsubscribe link, the privacy request or a direct message to you as the data controller. The request does not need to state a reason.
Lead is flagged
The request immediately receives the status “withdrawn” in the platform. The original consent record is preserved as proof that valid consent once existed, with the moment of withdrawal added to it.
Onward delivery stops
Further delivery to buyers in your network is blocked immediately. Buyers already supplied receive a withdrawal signal, so that they too may no longer approach the data subject.
Traceably closed
The withdrawal is recorded just as traceably as the original consent (who, when, through which channel), verifiable by you in the audit trail.
Tracing provenance
Valid consent starts with a reliable source. With every request, the platform records through which channel, which landing page and which publisher the lead came in, and that provenance is verified, not simply taken at face value.
If a request comes in through an unknown or unverified source, the platform turns it away before it enters your lead flow. That way you keep fraudulent and untraceable leads out, and for every lead you do deliver you know exactly where it comes from, which is crucial the moment a buyer or regulator asks.
- Channel recorded: The channel through which the request came in is part of the record.
- Publisher verified: The delivering publisher in your network is known, authorized and linked via a publisher ID.
- Landing page known: The specific landing page on which the data subject made their request is preserved.
- Unknown sources turned away: Unverified or suspicious provenance is blocked at intake.
Recorded at intake vs. reconstructed afterwards
The same difference keeps coming back: proof you record at the moment itself, or context you try to piece together afterwards.
Frequently asked questions about consent & provenance
The questions lead generators ask most often about consent, provenance and what OXIAE keeps exactly.
Does OXIAE keep the exact text the data subject saw?
Yes. The full consent text as shown and the version of the form are recorded together with the request. That way you can later demonstrate verbatim which information the data subject saw at the moment of agreement.
What happens to a lead if someone withdraws their consent?
The request receives the status “withdrawn”, further onward delivery is blocked immediately and buyers already supplied receive a withdrawal signal. The original consent record is preserved as proof that valid consent once existed, with the moment of withdrawal added to it.
How can I be sure the provenance of a lead is correct?
Channel, landing page and publisher ID are verified and recorded at intake by the platform. Requests from unknown or unverified sources are turned away, so that for every accepted lead you know exactly where it comes from.
Can a timestamp or consent text still be edited afterwards?
No. The timestamp and the text shown are recorded at the moment of intake and cannot be edited afterwards. Any change that does matter, such as a withdrawal, is added as a new, traceable event in the audit trail.
Is the consent exportable for my own records?
Yes. The full context of a request (text, version, timestamp, channel, publisher and legal basis) you retrieve and export from the platform, so you can include it in your own accountability at any moment.
Consent & provenance in numbers
Every request carries its own proof
See how every request carries its own proof
Book a demo and discover how OXIAE records consent, provenance and audit trail as standard with every request in your platform.