Consent
The Xavigate API operates as a data processor. You (the customer) are the data controller. You are responsible for collecting and recording informed consent from your subjects before submitting their assessment responses.
The consent_artifact field on subject creation records that consent was obtained.
The consent artifact
{
"consent_text_version": "v3",
"consented_at": "2026-04-21T10:30:00Z",
"ui_snapshot_hash": "sha256:9c5b2e1a...",
"consent_text": "By completing this assessment, you agree to..."
}
| Field | Required | Description |
|---|---|---|
consent_text_version | ✅ | A version identifier for the consent text you showed the person. Increment this when your consent language changes. |
consented_at | ✅ | ISO 8601 timestamp when the person agreed, in your UI |
ui_snapshot_hash | ✅ | SHA-256 hash of the consent UI as displayed to the user. Allows you to reconstruct exactly what the person saw at that moment. |
consent_text | Optional | Full text of the consent for your own audit trail. Not required but recommended. |
The artifact is retained for the subject's lifetime plus 7 years (litigation hold horizon).
What you must do before creating a subject
Before calling POST /v1/nature/subjects, your application must:
-
Display a consent screen to the person explaining:
- What data is being collected (MNTEST responses)
- How it will be used (to generate a Multiple Natures profile)
- Who will see it (your application and Xavigate as processor)
- Their right to delete their data at any time
-
Record the person's agreement (checkbox, button click, etc.)
-
Compute the
ui_snapshot_hash: SHA-256 of the rendered consent HTML/text shown. This lets you prove exactly what was displayed if ever challenged. -
Record the timestamp of agreement.
-
Optionally retain the full consent text in the artifact.
Right to erasure
DELETE /v1/nature/subjects/{id} deletes the subject and all associated data (assessments, profiles) within 24 hours. This is the GDPR Article 17 right-to-erasure endpoint.
Your application should expose a "delete my data" mechanism to subjects that calls this endpoint.
Consent for multiple products
At v1, the consent artifact covers Nature API usage. When Careers and Situational products launch, subjects must additionally consent to those products. A subject with Nature consent only cannot be used with the Careers or Situational APIs — you'll receive a 403 insufficient_consent error.
Plan your consent UI to support product-level consent flags if you intend to use multiple products.
Privacy obligations
The Xavigate API does not:
- Use MN/MI scores to make automated employment decisions
- Share assessment data across customer accounts
- Use assessment data for ML model training
See the Data Processing Agreement for the full processor obligations.