Opefin Source

Australia Specific Additional Consumer Terms

Consumer version — jurisdiction-specific requirements for individuals using Opefin Source in Australia

Version 1.0  |  Effective Date: 1 April 2026  |  Supplements the Global General Terms and applicable Product Terms

Opefin Limited (NZBN: 9429053433008)  |  hello@opefin.com

How this Australia Specific Additional Consumer Terms works

This Australia Specific Additional Consumer Terms (“AU Addendum”) applies to all Opefin users who are located in Australia or who use Opefin services in connection with transactions or activities governed by Australian law. It supplements the Global General Terms (GGT), and the Global Consumer Terms. Where this AU Addendum conflicts with the GGT or the Global Consumer Terms on a matter governed by Australian law, this AU Addendum takes precedence. Mandatory protections under Australian Consumer Law and the Privacy Act 1988 (Cth) apply regardless of the governing law in the GGT. All defined terms from the GGT and Global Consumer Terms apply here unless a different meaning is given.

Important: Opefin is currently a New Zealand entity

Opefin Limited is incorporated in New Zealand (NZBN 9429053433008) and is the contracting entity for Australian users at the time this AU Addendum is published. Opefin’s Australian operations are conducted by Opefin Limited contracting directly with Australian users from New Zealand, pending the establishment of an Australian entity. When an Australian entity is incorporated, this AU Addendum will be updated. Australian Consumer Law protections apply to all Australian Consumer Users regardless of the contracting entity’s jurisdiction of incorporation.

Part 1

Contracting entity

1. Contracting Entity for Australia

FieldDetail
Current contracting entityOpefin Limited (New Zealand), NZBN: 9429053433008
Future AU entity[To be designated when incorporated — this AU Addendum will be updated]
Primary contact (AU)hello@opefin.com | opefin.com
Privacy Officerprivacy@opefin.com

Part 2

Governing law and dispute resolution

2. Governing Law

The Global General Terms specify New Zealand as the governing law. For Australian users, New Zealand law governs the agreement except to the extent that: (a) Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)) provides mandatory protections that cannot be excluded; (b) the Privacy Act 1988 (Cth) imposes obligations on Opefin in connection with your personal information; or (c) another mandatory law of Australia or of a State or Territory applies to a specific matter. Where Australian law provides you with a right greater than what New Zealand law provides, the Australian right applies.

3. Courts

Disputes not resolved through complaints processes may be brought before the courts of New Zealand or, for Australian Consumer Users asserting rights under Australian Consumer Law, before the courts of the relevant Australian State or Territory or the Federal Court of Australia. Opefin does not contest Australian court jurisdiction for disputes involving Australian mandatory consumer law rights.

4. Dispute Resolution Schemes

Scheme or bodyContact and scope
Australian Financial Complaints Authority (AFCA)www.afca.org.au | 1800 931 678 (free call). For eligible financial services disputes.
Office of the Australian Information Commissioner (OAIC)www.oaic.gov.au | 1300 363 992. For privacy complaints under the Privacy Act 1988 (Cth).
ACCCwww.accc.gov.au. For misleading conduct or breaches of Australian Consumer Law.
AUSTRACwww.austrac.gov.au. For complaints about conduct in connection with AML/CTF obligations.

Part 3

Privacy Act 1988 (Cth)

5. Privacy Act 1988 (Cth) Compliance

5.1 Application

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to Opefin’s handling of personal information about individuals in Australia. Opefin is the primary controller of Consumer Data collected through the Opefin Source consent process. The definition of Personal Data in the GGT encompasses personal information as defined in the Privacy Act 1988 (Cth).

5.2 Australian Privacy Principles

PrincipleHow Opefin meets itStatus
APP 1 — Open and transparent managementOpefin maintains its Global Privacy Policy and AU Privacy Notice describing how it handles personal information. Available at opefin.com/legal/global-privacy-policy.Compliant
APP 2 — Anonymity and pseudonymityAML/CTF law requires genuine identity verification. Anonymity is not practicable for the certificate generation process.N/A — AML/CTF requirement
APP 3 — Collection of solicited personal informationOpefin collects only what is reasonably necessary for the purposes described in Part 4 of the Global Privacy Policy: identity verification, certificate generation, CDD/EDD screening, risk profiling, Compliance Network operation, ongoing monitoring, SAR workflow support, product development using anonymised data, legal compliance, and platform security.Compliant
APP 4 — Unsolicited personal informationWhere Opefin receives personal information it did not solicit and could not have collected lawfully, it destroys or de-identifies it as soon as practicable.Compliant
APP 5 — Notification of collectionIndividuals are notified before collection of all purposes including Compliance Network use, who will receive the information, any overseas disclosure, and their rights. Done via the Consumer Consent Disclosure Notice.Compliant
APP 6 — Use or disclosure of personal informationPersonal information is used or disclosed for the purposes described in Part 4 of the Global Privacy Policy, including certificate generation, Compliance Network operation with Consumer notification, and product improvement using anonymised data. Not used for credit assessment, employment screening, insurance underwriting, or targeted advertising.Compliant
APP 7 — Direct marketingOpefin does not use personal information retrieved through the CDR connection for direct marketing. Account data may be used for service communications.Compliant
APP 8 — Cross-border disclosureWhere personal information is disclosed to overseas recipients, Opefin takes reasonable steps to ensure comparable protection. Transfer to New Zealand meets the APP 8 standard. See clause 12 of this AU Addendum.Compliant
APP 9 — Adoption of government identifiersOpefin does not adopt government identifiers as its own identifiers. Certificate IDs are internal reference numbers only.Compliant
APP 10 — QualityReasonable steps are taken to ensure accuracy. CDR data reflects what the bank holds at the point of retrieval.Compliant
APP 11 — SecurityTechnical and organisational security measures are described in Schedule 2 of the DPA. Reasonable steps are taken to protect against misuse, interference, loss, and unauthorised access.Compliant
APP 12 — AccessIndividuals may request access to personal information Opefin holds about them. Requests processed within 30 days. Contact privacy@opefin.com.Compliant
APP 13 — CorrectionIndividuals may request correction of personal information. Opefin will correct or attach a notation within a reasonable period.Compliant

5.3 Notifiable Data Breaches

Australia’s Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 requires Opefin to notify affected individuals and the OAIC of eligible data breaches. Opefin will assess data breaches against the NDB criteria as soon as practicable and, where a breach is assessed as notifiable, will notify the OAIC as soon as practicable and affected individuals directly where practicable. For Enterprise Users: Opefin will notify the Reporting Entity within 72 hours of becoming aware of a breach involving Consumer Data related to their certificates.

Part 4

Consumer Data Right in Australia

6. Australian CDR Framework

6.1 The Regulatory Framework

Australia’s Consumer Data Right (CDR) is established by the Competition and Consumer Act 2010 (Cth) and the Consumer Data Right Rules. The CDR has been in operation for the banking sector since 2019. The ACCC administers the CDR together with the OAIC. The Data Standards Body sets the technical standards for CDR data sharing.

6.2 Open Banking Provider for Australia

In Australia, Opefin accesses Consumer banking data through an ACCC-accredited CDR data recipient as specified in the applicable Product Schedule and confirmed when Australian operations commence. For identity verification, Opefin uses an appointed IDV Provider for biometric capture, liveness detection, and document verification. The current IDV Provider for Australian transactions is identified in the applicable Product Schedule. The IDV Provider processes biometric data under its own privacy framework. Opefin does not retain raw biometric data after the verification event; it retains the verification outcome only. Opefin is pursuing direct CDR accreditation from the ACCC. When direct accreditation is obtained, this AU Addendum will be updated.

6.3 Designated Data Holders

The following Australian banks are currently designated Data Holders under the CDR: ANZ Banking Group, Commonwealth Bank of Australia (CBA), National Australia Bank (NAB), Westpac Banking Corporation, and a growing number of non-major banks. The current list is maintained by the ACCC at www.cdr.gov.au.

6.4 Disclosed purpose of CDR consent

The CDR Rules require that CDR data be used only for the purpose disclosed at consent. The purpose disclosed in Opefin’s consent flow for Australian users includes: verifying your identity and generating your AML/CTF compliance certificate; creating and maintaining your Compliance Network Record; enabling accredited Reporting Entities to query your record for future transactions with notification to you; EDD screening where the EDD Module is activated; and improving Opefin products using derived and anonymised data. Raw CDR data is not used for purposes outside this disclosed scope.

6.5 Australian Consumer CDR Rights

Under the Australian CDR framework, users have the following rights:

  • The right to authorise and revoke data sharing consents at any time through their bank’s CDR consent dashboard.
  • The right to a Consumer Data Request Dashboard provided by each Data Holder, showing all active CDR consents.
  • The right to access their own CDR data from Data Holders.
  • The right to complain about CDR conduct to the OAIC (CDR privacy safeguards) or the ACCC (other CDR Rules).
  • The right to seek compensation for loss caused by a breach of CDR privacy safeguards.

Part 5

Australian Consumer Law

7. Privacy Rights for Australian Users

7.1 Right to Access

You may request access to personal information Opefin holds about you under APP 12 by contacting privacy@opefin.com. Opefin will respond within 30 days. Opefin may charge a reasonable fee to cover the cost of providing access (but not for the request itself) where the Privacy Act permits. We will tell you the fee before we proceed.

7.2 Right to Correction

You may request correction of personal information under APP 13 by contacting privacy@opefin.com. Opefin will correct the information or attach a notation of your correction request within a reasonable period.

7.3 Right to remove from Compliance Network queries

You may request removal of your Compliance Network Record from active queries at any time by contacting privacy@opefin.com. This means no future Reporting Entity can query your record going forward. The underlying Certificate must still be retained for the 7-year statutory period applicable to Australian transactions.

8. Australian Consumer Law Guarantees

Schedule 2 of the Competition and Consumer Act 2010 (Cth) (Australian Consumer Law) applies to services supplied to Consumer Users in Australia in trade or commerce. Where you are a consumer within the meaning of the ACL, the following statutory guarantees apply and cannot be excluded: services will be provided with due care and skill; services will be reasonably fit for their purpose; and services will be supplied within a reasonable time where no time is agreed. For major failures, you have an immediate right to cancel and receive a full refund or compensation.

9. Unfair Contract Terms

The ACL prohibits unfair terms in standard-form consumer contracts and small business contracts. Opefin does not rely on any term it considers unfair under this standard. The liability limitations in the GGT are drafted to preserve the ACL guarantees; the ACL guarantee applies to the extent of any inconsistency.

10. Do Not Call Register and Spam Act

Opefin complies with the Do Not Call Register Act 2006 (Cth) and the Spam Act 2003 (Cth). We will not send you unsolicited commercial electronic messages without your consent. You may unsubscribe from marketing communications at any time using the unsubscribe link in any marketing message or by contacting privacy@opefin.com.

Part 6

Data handling in Australia

11. Retention Periods in Australia

Australian Retention Override

Australian Reporting Entities must retain Opefin Source certificates for seven years, not five. This overrides the five-year default in the Global General Terms, the Global Consumer Terms, and the New Zealand Specific Additional Consumer Terms, for Australian transactions.

Data categoryRetention periodLegal basis
Opefin Source certificates7 years from generation date.Section 113, AML/CTF Act 2006 (Cth).
Compliance Network Record7 years from the certificate date. Deleted within 30 days of expiry or valid removal request after expiry.Statutory obligation; Compliance Network operation.
CDR transaction data (incorporated into Certificate or Network Record)Retained as part of Certificate and Compliance Network Record for the 7-year period.Statutory obligation.
CDR transaction data (not incorporated)Deleted within 30 days of certificate generation or CDR consent revocation.Privacy Act 1988 (Cth) APP 11; CDR Rules.
CDR consent records7 years from date of consent.AML/CTF Act and CDR Rules record-keeping requirements.
Certificate verification hashIndefinite. Contains no personal information.Technical integrity record.
Derived and anonymised dataIndefinite. Once genuinely anonymised, no longer personal information.Legitimate interests in product development and analytics.
Platform account data (Enterprise Users)Duration of MSA plus 3 years.Australian commercial records expectations.
Technical logs12 months.Security monitoring and incident response.

12. Cross-Border Transfers from Australia

APP 8 requires Opefin to take reasonable steps to ensure that overseas recipients of personal information about Australian individuals handle it consistently with the APPs. Opefin currently processes Australian user data using infrastructure in Australia and New Zealand. Transfer to New Zealand is a transfer to a jurisdiction with comparable protections. Where data is transferred to other jurisdictions for cloud provider redundancy, Opefin relies on contractual arrangements with those providers requiring APP-equivalent protections.

13. Government and Regulatory Requests in Australia

Where Opefin receives a request from an Australian regulatory authority, law enforcement agency, or court for personal information or records, Opefin will assess its legal basis, respond in accordance with its legal obligations, notify the affected Enterprise User or Consumer User where lawfully permitted before complying, and provide only the minimum information necessary. AUSTRAC has powers under the AML/CTF Act to require production of records from Opefin in connection with investigations. Opefin will cooperate with any lawful AUSTRAC request.

Part 7

Opefin Source in Australia

14. Opefin Source in Australia

14.1 Compliance Network in Australia

The Opefin Compliance Network is a current core feature of Opefin Source. When a Consumer’s certificate is generated, a Compliance Network Record is created and held for the 7-year statutory retention period applicable to Australian transactions. Accredited Reporting Entities involved in future transactions with that Consumer may query the Network with Consumer notification. This supports the reliance model under section 38 of the AML/CTF Act 2006 (Cth), which permits a reporting entity to rely on CDD conducted by another reporting entity. It eliminates repeated verification friction for Consumers across transactions, including cross-border transactions.

14.2 CDR Maturity Advantage

Australia’s CDR has been in operation since 2019, giving it significantly greater bank coverage and API maturity than New Zealand’s CDR framework. CDR connections are available for all major Australian banks and a growing number of non-major banks, meaning more complete data coverage is available for Australian certificates.

15. Complaints About Opefin Source in Australia

Complaints about Opefin Source in Australia should follow the process in the Opefin Complaints Policy, by emailing complaints@opefin.com. The applicable external dispute resolution scheme depends on the nature of the complaint: AFCA for financial services disputes (clause 4); OAIC for privacy complaints; ACCC or relevant State or Territory consumer affairs office for Australian Consumer Law complaints; and AUSTRAC for AML/CTF- related matters.

Part 8

Key Australia contacts

ContactDetails
Opefin Australia contactaustralia@opefin.com | opefin.com
Opefin Privacy Officerprivacy@opefin.com
Opefin Complaintscomplaints@opefin.com
Office of the Australian Information Commissioner (OAIC)www.oaic.gov.au | 1300 363 992
Australian Financial Complaints Authority (AFCA)www.afca.org.au | 1800 931 678
AUSTRACwww.austrac.gov.au
ACCC (CDR and consumer protection)www.accc.gov.au | www.cdr.gov.au
Open Banking Provider (AU)To be confirmed when AU operations commence

End of Australia Specific Additional Consumer Terms | Version 1.0 | Opefin Limited

Supplements the Global General Terms and applicable Product Terms