Legal

Australia Privacy Notice

Jurisdiction-Specific Notice: Read alongside the Global Privacy Policy

Version 1.0  |  Effective Date: 1 April 2026

Opefin Limited (NZBN: 9429053433008)  |  privacy@opefin.com

FieldDetail
Document typeAU Privacy Notice (Jurisdiction-Specific)
Applies toUsers in Australia / transactions subject to Australian law
Read alongsideGlobal Privacy Policy baseline
Version1.0
Effective date1 April 2026
Privacy contactprivacy@opefin.com

How to read this notice

This notice supplements the Opefin Global Privacy Policy baseline. It does not replace it. Read both documents together. Where this notice says something different from the global baseline, this notice takes precedence for users in Australia.

This notice explains your rights and our obligations under the Privacy Act 1988 (Cth), the Consumer Data Right framework under the Competition and Consumer Act 2010 (Cth), and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

Important: Opefin is currently a New Zealand entity

Opefin Limited is incorporated in New Zealand and is the contracting entity for Australian users at the time this notice is published. When Opefin incorporates an Australian entity, this notice will be updated and the Australian entity will become the contracting party for Australian transactions. We will notify Australian users when this happens.

Part 1

The Australian legal framework

LawWhat it does
Privacy Act 1988 (Cth)The core federal privacy law in Australia. It sets out 13 Australian Privacy Principles (APPs) governing how we collect, use, store, and disclose your personal information. The regulator is the Office of the Australian Information Commissioner (OAIC).
Consumer Data Right (CDR)The open banking framework under the Competition and Consumer Act 2010 (Cth), Part IVD. It requires consumer data to be shared only with accredited data recipients, only with the consumer's consent, and only for the purposes disclosed at consent. The ACCC and OAIC jointly regulate the CDR.
AML/CTF Act 2006 (Cth)The law requiring Australian reporting entities to verify the source of their clients' funds. AUSTRAC is the Australian AML/CTF supervisor. Under section 113, records must be retained for at least 7 years. This 7-year period overrides the global baseline for Australian transactions.

Part 2

Your rights under the Privacy Act 1988 (Cth)

PrincipleHow Opefin meets itStatus
APP 1 — Open and transparent managementWe manage personal information openly and transparently. This notice and the global baseline are our primary disclosure tools. We maintain a current privacy policy freely available at opefin.com/legal/global-privacy-policy.Compliant
APP 2 — Anonymity and pseudonymityAML/CTF law requires us to verify identity. Anonymity is not practicable for the certificate generation process.N/A — AML/CTF identity requirement applies
APP 3 — Collection of solicited personal informationWe collect only what is reasonably necessary for the following purposes: verifying your identity through biometric and document verification; generating an AML/CTF compliance certificate; EDD screening (PEP, sanctions, and adverse media) where that module is activated; creating and maintaining your Compliance Network record; enabling accredited reporting entities to query that record for future transactions with notification; improving Opefin products using derived and anonymised data; and complying with legal obligations.Compliant
APP 4 — Unsolicited personal informationIf we receive personal information we did not solicit and could not have collected under APP 3, we destroy or de-identify it as soon as practicable.Compliant
APP 5 — Notification of collectionAt the point of consent, we disclose who we are, all purposes of collection including Compliance Network use and biometric identity verification, who will receive the information (including our IDV Provider who processes your facial image and liveness check under their own privacy framework), any overseas disclosure, and your rights. This is done via the Consumer Consent Disclosure Notice.Compliant
APP 6 — Use and disclosureWe use and disclose your personal information for the primary purpose and for directly related secondary purposes set out in this notice and the Global Privacy Policy Part 4. We do not use it for credit assessment, employment screening, insurance underwriting, or targeted advertising.Compliant
APP 7 — Direct marketingWe do not use your personal information for direct marketing.Compliant
APP 8 — Cross-border disclosureBefore disclosing your personal information to an overseas recipient, we take reasonable steps to ensure they protect it to a standard comparable to the APPs. Transfer to New Zealand meets the APP 8 standard, as the NZ Privacy Act 2020 is broadly equivalent to the Australian Privacy Act 1988 (Cth).Compliant
APP 9 — Government identifiersWe do not adopt, use, or disclose Australian government identifiers as our own identifier for individuals.Compliant
APP 10 — QualityWe take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up to date, and complete. Open banking data is retrieved in real time from your bank.Compliant
APP 11 — SecurityWe protect personal information from misuse, interference, loss, and unauthorised access using AES-256 encryption, TLS 1.2+, MFA, RBAC, and regular penetration testing.Compliant
APP 12 — AccessYou have the right to access the personal information we hold about you. We will respond within 30 days. Contact privacy@opefin.com.Compliant
APP 13 — CorrectionYou have the right to request correction of inaccurate, out of date, incomplete, or misleading personal information. We will respond within 30 days.Compliant

Part 3

How long we keep your data — Australia

The global baseline sets a default retention period referenced to applicable statutory law. For Australian transactions, the AML/CTF Act 2006 (Cth) requires a 7-year period, which overrides the global baseline for Australian users.

Data categoryRetention periodWhy
Opefin Source certificates7 years from the certificate date. Required by section 113, AML/CTF Act 2006 (Cth).Statutory obligation.
Compliance Network record7 years from the certificate date. Deleted within 30 days of expiry or your removal request after the statutory period.Statutory obligation; Compliance Network operation.
CDR transaction data (incorporated)Retained as part of the certificate and Compliance Network record for the 7-year period.Statutory obligation.
CDR transaction data (not incorporated)Deleted within 30 days of certificate generation or CDR consent revocation.Privacy Act APP 11; CDR Rules.
Derived and anonymised dataRetained indefinitely for product development and analytics. Once anonymised, this data is no longer personal information.Legitimate interests in product improvement.
CDR consent records7 years from the consent event, consistent with the AML/CTF Act and CDR Rules.Statutory obligation.
Certificate audit log7 years from the certificate date.AML/CTF Act 2006 (Cth).
Account and profile informationDuration of your account plus 2 years after closure.Legitimate interests.
Communications3 years from the date of the communication.Legitimate interests.

Section 113, AML/CTF Act 2006 (Cth) — why 7 years

Section 113 requires reporting entities and their agents to retain records for at least 7 years from the completion of the relevant transaction or the end of the customer relationship. For Australian transactions, this 7-year period applies. If you ask us to delete your certificate or Compliance Network record before the 7-year period has passed, we cannot comply. We will tell you this when you make the request and delete the data within 30 days of the period expiring.

Part 4

The Consumer Data Right and open banking

4.1 How the CDR applies to Opefin Source

When you use Opefin Source in Australia, your bank account data is retrieved via an accredited CDR data recipient. That accredited entity retrieves your data from your bank with your consent and delivers it to Opefin for certificate generation. The specific open banking provider used by Opefin for Australian transactions is specified in the AU Country Addendum and will be confirmed when Australian operations commence.

4.2 Disclosed purpose of CDR consent

The CDR Rules require that CDR data be used only for the purpose disclosed at consent. The purpose disclosed in your Opefin consent flow for Australian users includes: verifying your identity and generating your AML/CTF compliance certificate; EDD screening (PEP, sanctions, and adverse media screening) where that module is activated; creating and maintaining your verified compliance record in the Opefin Compliance Network; enabling accredited reporting entities to query your record for future transactions with notification to you; and improving Opefin products using derived and anonymised data. Raw CDR data is not used for purposes outside this disclosed scope.

4.3 Your CDR consent rights

Under the CDR Rules, you have the following rights in relation to your CDR data:

  • The right to give, manage, and withdraw consent to share your CDR data at any time.
  • The right to see a list of the data sharing arrangements you have authorised.
  • The right to withdraw consent through the CDR consent dashboard provided by your bank or the accredited data recipient.
  • The right to request deletion of your CDR data held by an accredited data recipient, subject to legal retention requirements.
  • The right to know what data has been accessed and for what purpose.

4.4 Scope of CDR access

We request access to account information only. We do not initiate payments, transfers, or any other transactions via the CDR connection. The specific data sets we access are limited to what is necessary to generate your AML/CTF compliance certificate, conduct identity cross-referencing, and create your Compliance Network record.

The open banking provider for Australia

The specific accredited CDR data recipient used by Opefin for Australian transactions will be confirmed and published in the AU Country Specific Additional Consumer Terms when Australian operations commence. We will update this notice and link to the provider’s terms at that time.

Part 5

The Opefin Compliance Network in Australia

The Opefin Compliance Network is a core feature of Opefin Source, not a secondary optional use. By accepting the Global Consumer Terms, the AU Country Specific Additional Consumer Terms, the Global Privacy Policy, and this Privacy Notice, you agree to your certificate and associated verified data being part of the Network for the 7-year statutory retention period applicable to Australian transactions.

5.1 AML/CTF reliance and the Compliance Network

Section 38 of the AML/CTF Act 2006 (Cth) permits reliance by one reporting entity on CDD conducted by another, under specified conditions. The Opefin Compliance Network supports and extends this model for Australian reporting entities, enabling accredited entities to access your verified compliance record for future transactions with notification to you, reducing repeated verification friction.

5.2 Tranche 2 reforms

Australia’s AML/CTF Tranche 2 reforms take effect from 1 July 2026, bringing over 90,000 additional entities including lawyers, accountants, and real estate agents into the AML/CTF regime. This significantly expands the pool of Australian reporting entities that will need to carry out CDD, EDD and source of funds/wealth checks, and the utility of the Opefin Compliance Network for Australian users.

5.3 Notification for Network queries

When an accredited reporting entity queries your Network record, you will receive a notification. You do not need to give fresh consent for each query, but you are notified of each one (and consent will be requested if needed). You may request removal from active Network queries at any time, subject to the 7-year statutory retention period for the underlying certificate.

Part 6

Your rights and how to complain in Australia

6.1 Access and correction requests

Under APPs 12 and 13, you have the right to access the personal information we hold about you and to request correction of inaccurate information. Send your request to privacy@opefin.com. We will acknowledge within 5 business days and respond within 30 days.

6.2 Complaints to Opefin

FieldDetail
Emailcomplaints@opefin.com
What to includeYour name, a description of the concern, and any relevant dates or reference numbers.
Our responseWithin 30 days.

6.3 Complaints to the OAIC

ContactDetail
Websiteoaic.gov.au
Online complaint formoaic.gov.au/privacy/privacy-complaints/
Phone1300 363 992 (within Australia)
AddressGPO Box 5218, Sydney NSW 2001

6.4 CDR complaints

BodyWhat they handle
OAIC (CDR)The OAIC handles CDR privacy complaints alongside general privacy complaints.
ACCCFor complaints about the CDR framework or accredited data recipient conduct: accc.gov.au
AFCAFor complaints about financial institutions involved in your CDR connection: afca.org.au | 1800 931 678

Part 7

Australia-specific disclosures

7.1 Reporting Entities and AUSTRAC

Reporting entities using Opefin Source in Australia are supervised by AUSTRAC. They must be enrolled with AUSTRAC, maintain a compliant AML/CTF Programme, and comply with the AML/CTF Act 2006 (Cth) and the AML/CTF Rules 2007.

7.2 Overseas disclosure to New Zealand

Opefin is a New Zealand entity. When you use Opefin Source in Australia, your personal information is transferred to New Zealand for processing. The New Zealand Privacy Act 2020 is broadly equivalent to the Australian Privacy Act 1988 (Cth) and satisfies the APP 8 standard. Where we use sub-processors based in other countries, we require them contractually to protect your information to a standard consistent with the APPs.

7.3 Sensitive information

The transaction data retrieved from your bank accounts may include information about your financial position that could be considered sensitive under APP 3. We treat all financial data retrieved via CDR as sensitive information and apply our highest level of security controls to it.

7.4 Notifiable Data Breaches

Australia’s Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988 (Cth)) requires us to notify both the OAIC and affected individuals if we suffer an eligible data breach likely to result in serious harm. If an eligible data breach occurs, and allowed under law, we will notify the OAIC as soon as practicable, notify affected individuals directly, and provide a statement describing the nature of the breach, the kinds of information involved, and the steps we are taking in response.

7.5 Australian Consumer Law

If you are an individual consumer in Australia, the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) applies to your use of Opefin Source. These laws give you certain guaranteed consumer rights that cannot be excluded by contract. Nothing in our Global Consumer Terms, AU Country Specific Additional Terms, Global Privacy Policy, this notice, or any other Opefin document removes those rights.

7.6 Biometric information

Where the IDV Module is activated, Opefin Source collects biometric information within the meaning of the Privacy Act 1988 (Cth), including a facial image and liveness detection result. This information is processed by our appointed IDV Provider under the IDV Provider’s own privacy framework and explicit consent, which you provide as part of the IDV flow. Opefin receives the verification outcome and may retain your raw biometric information after the verification event if required. Because biometric information is sensitive information under the Privacy Act 1988 (Cth), we obtain your explicit consent before collection and we do not use it for any purpose other than verifying your identity for the AML/CTF certificate.

Part 8

Contact details

ContactDetails
Privacy OfficerPrivacy Officer, Opefin Limited
Emailprivacy@opefin.com
Complaints emailcomplaints@opefin.com
Websiteopefin.com
Global Privacy Policyopefin.com/legal/global-privacy-policy
NZ Privacy Noticeopefin.com/legal/nz-privacy-notice
OAIC (AU privacy regulator)oaic.gov.au | 1300 363 992
ACCC (CDR)accc.gov.au
AFCA (financial complaints)afca.org.au | 1800 931 678
AUSTRAC (AML/CTF)austrac.gov.au
Open Banking Provider (AU)To be confirmed when AU operations commence

End of Australia Privacy Notice

Version 1.0 | Effective: 1 April 2026 | Opefin Limited (NZBN 9429053433008)