Legal
Australia Privacy Notice
Jurisdiction-Specific Notice: Read alongside the Global Privacy Policy
Version 1.0 | Effective Date: 1 April 2026
Opefin Limited (NZBN: 9429053433008) | privacy@opefin.com
| Field | Detail |
|---|---|
| Document type | AU Privacy Notice (Jurisdiction-Specific) |
| Applies to | Users in Australia / transactions subject to Australian law |
| Read alongside | Global Privacy Policy baseline |
| Version | 1.0 |
| Effective date | 1 April 2026 |
| Privacy contact | privacy@opefin.com |
How to read this notice
This notice supplements the Opefin Global Privacy Policy baseline. It does not replace it. Read both documents together. Where this notice says something different from the global baseline, this notice takes precedence for users in Australia.
This notice explains your rights and our obligations under the Privacy Act 1988 (Cth), the Consumer Data Right framework under the Competition and Consumer Act 2010 (Cth), and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
Important: Opefin is currently a New Zealand entity
Opefin Limited is incorporated in New Zealand and is the contracting entity for Australian users at the time this notice is published. When Opefin incorporates an Australian entity, this notice will be updated and the Australian entity will become the contracting party for Australian transactions. We will notify Australian users when this happens.
Part 1
The Australian legal framework
| Law | What it does |
|---|---|
| Privacy Act 1988 (Cth) | The core federal privacy law in Australia. It sets out 13 Australian Privacy Principles (APPs) governing how we collect, use, store, and disclose your personal information. The regulator is the Office of the Australian Information Commissioner (OAIC). |
| Consumer Data Right (CDR) | The open banking framework under the Competition and Consumer Act 2010 (Cth), Part IVD. It requires consumer data to be shared only with accredited data recipients, only with the consumer's consent, and only for the purposes disclosed at consent. The ACCC and OAIC jointly regulate the CDR. |
| AML/CTF Act 2006 (Cth) | The law requiring Australian reporting entities to verify the source of their clients' funds. AUSTRAC is the Australian AML/CTF supervisor. Under section 113, records must be retained for at least 7 years. This 7-year period overrides the global baseline for Australian transactions. |
Part 2
Your rights under the Privacy Act 1988 (Cth)
| Principle | How Opefin meets it | Status |
|---|---|---|
| APP 1 — Open and transparent management | We manage personal information openly and transparently. This notice and the global baseline are our primary disclosure tools. We maintain a current privacy policy freely available at opefin.com/legal/global-privacy-policy. | Compliant |
| APP 2 — Anonymity and pseudonymity | AML/CTF law requires us to verify identity. Anonymity is not practicable for the certificate generation process. | N/A — AML/CTF identity requirement applies |
| APP 3 — Collection of solicited personal information | We collect only what is reasonably necessary for the following purposes: verifying your identity through biometric and document verification; generating an AML/CTF compliance certificate; EDD screening (PEP, sanctions, and adverse media) where that module is activated; creating and maintaining your Compliance Network record; enabling accredited reporting entities to query that record for future transactions with notification; improving Opefin products using derived and anonymised data; and complying with legal obligations. | Compliant |
| APP 4 — Unsolicited personal information | If we receive personal information we did not solicit and could not have collected under APP 3, we destroy or de-identify it as soon as practicable. | Compliant |
| APP 5 — Notification of collection | At the point of consent, we disclose who we are, all purposes of collection including Compliance Network use and biometric identity verification, who will receive the information (including our IDV Provider who processes your facial image and liveness check under their own privacy framework), any overseas disclosure, and your rights. This is done via the Consumer Consent Disclosure Notice. | Compliant |
| APP 6 — Use and disclosure | We use and disclose your personal information for the primary purpose and for directly related secondary purposes set out in this notice and the Global Privacy Policy Part 4. We do not use it for credit assessment, employment screening, insurance underwriting, or targeted advertising. | Compliant |
| APP 7 — Direct marketing | We do not use your personal information for direct marketing. | Compliant |
| APP 8 — Cross-border disclosure | Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure they protect it to a standard comparable to the APPs. Transfer to New Zealand meets the APP 8 standard, as the NZ Privacy Act 2020 is broadly equivalent to the Australian Privacy Act 1988 (Cth). | Compliant |
| APP 9 — Government identifiers | We do not adopt, use, or disclose Australian government identifiers as our own identifier for individuals. | Compliant |
| APP 10 — Quality | We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up to date, and complete. Open banking data is retrieved in real time from your bank. | Compliant |
| APP 11 — Security | We protect personal information from misuse, interference, loss, and unauthorised access using AES-256 encryption, TLS 1.2+, MFA, RBAC, and regular penetration testing. | Compliant |
| APP 12 — Access | You have the right to access the personal information we hold about you. We will respond within 30 days. Contact privacy@opefin.com. | Compliant |
| APP 13 — Correction | You have the right to request correction of inaccurate, out of date, incomplete, or misleading personal information. We will respond within 30 days. | Compliant |
Part 3
How long we keep your data — Australia
The global baseline sets a default retention period referenced to applicable statutory law. For Australian transactions, the AML/CTF Act 2006 (Cth) requires a 7-year period, which overrides the global baseline for Australian users.
| Data category | Retention period | Why |
|---|---|---|
| Opefin Source certificates | 7 years from the certificate date. Required by section 113, AML/CTF Act 2006 (Cth). | Statutory obligation. |
| Compliance Network record | 7 years from the certificate date. Deleted within 30 days of expiry or your removal request after the statutory period. | Statutory obligation; Compliance Network operation. |
| CDR transaction data (incorporated) | Retained as part of the certificate and Compliance Network record for the 7-year period. | Statutory obligation. |
| CDR transaction data (not incorporated) | Deleted within 30 days of certificate generation or CDR consent revocation. | Privacy Act APP 11; CDR Rules. |
| Derived and anonymised data | Retained indefinitely for product development and analytics. Once anonymised, this data is no longer personal information. | Legitimate interests in product improvement. |
| CDR consent records | 7 years from the consent event, consistent with the AML/CTF Act and CDR Rules. | Statutory obligation. |
| Certificate audit log | 7 years from the certificate date. | AML/CTF Act 2006 (Cth). |
| Account and profile information | Duration of your account plus 2 years after closure. | Legitimate interests. |
| Communications | 3 years from the date of the communication. | Legitimate interests. |
Section 113, AML/CTF Act 2006 (Cth) — why 7 years
Section 113 requires reporting entities and their agents to retain records for at least 7 years from the completion of the relevant transaction or the end of the customer relationship. For Australian transactions, this 7-year period applies. If you ask us to delete your certificate or Compliance Network record before the 7-year period has passed, we cannot comply. We will tell you this when you make the request and delete the data within 30 days of the period expiring.
Part 4
The Consumer Data Right and open banking
4.1 How the CDR applies to Opefin Source
When you use Opefin Source in Australia, your bank account data is retrieved via an accredited CDR data recipient. That accredited entity retrieves your data from your bank with your consent and delivers it to Opefin for certificate generation. The specific open banking provider used by Opefin for Australian transactions is specified in the AU Country Addendum and will be confirmed when Australian operations commence.
4.2 Disclosed purpose of CDR consent
The CDR Rules require that CDR data be used only for the purpose disclosed at consent. The purpose disclosed in your Opefin consent flow for Australian users includes: verifying your identity and generating your AML/CTF compliance certificate; EDD screening (PEP, sanctions, and adverse media screening) where that module is activated; creating and maintaining your verified compliance record in the Opefin Compliance Network; enabling accredited reporting entities to query your record for future transactions with notification to you; and improving Opefin products using derived and anonymised data. Raw CDR data is not used for purposes outside this disclosed scope.
4.3 Your CDR consent rights
Under the CDR Rules, you have the following rights in relation to your CDR data:
- The right to give, manage, and withdraw consent to share your CDR data at any time.
- The right to see a list of the data sharing arrangements you have authorised.
- The right to withdraw consent through the CDR consent dashboard provided by your bank or the accredited data recipient.
- The right to request deletion of your CDR data held by an accredited data recipient, subject to legal retention requirements.
- The right to know what data has been accessed and for what purpose.
4.4 Scope of CDR access
We request access to account information only. We do not initiate payments, transfers, or any other transactions via the CDR connection. The specific data sets we access are limited to what is necessary to generate your AML/CTF compliance certificate, conduct identity cross-referencing, and create your Compliance Network record.
The open banking provider for Australia
The specific accredited CDR data recipient used by Opefin for Australian transactions will be confirmed and published in the AU Country Specific Additional Consumer Terms when Australian operations commence. We will update this notice and link to the provider’s terms at that time.
Part 5
The Opefin Compliance Network in Australia
The Opefin Compliance Network is a core feature of Opefin Source, not a secondary optional use. By accepting the Global Consumer Terms, the AU Country Specific Additional Consumer Terms, the Global Privacy Policy, and this Privacy Notice, you agree to your certificate and associated verified data being part of the Network for the 7-year statutory retention period applicable to Australian transactions.
5.1 AML/CTF reliance and the Compliance Network
Section 38 of the AML/CTF Act 2006 (Cth) permits reliance by one reporting entity on CDD conducted by another, under specified conditions. The Opefin Compliance Network supports and extends this model for Australian reporting entities, enabling accredited entities to access your verified compliance record for future transactions with notification to you, reducing repeated verification friction.
5.2 Tranche 2 reforms
Australia’s AML/CTF Tranche 2 reforms take effect from 1 July 2026, bringing over 90,000 additional entities including lawyers, accountants, and real estate agents into the AML/CTF regime. This significantly expands the pool of Australian reporting entities that will need to carry out CDD, EDD and source of funds/wealth checks, and the utility of the Opefin Compliance Network for Australian users.
5.3 Notification for Network queries
When an accredited reporting entity queries your Network record, you will receive a notification. You do not need to give fresh consent for each query, but you are notified of each one (and consent will be requested if needed). You may request removal from active Network queries at any time, subject to the 7-year statutory retention period for the underlying certificate.
Part 6
Your rights and how to complain in Australia
6.1 Access and correction requests
Under APPs 12 and 13, you have the right to access the personal information we hold about you and to request correction of inaccurate information. Send your request to privacy@opefin.com. We will acknowledge within 5 business days and respond within 30 days.
6.2 Complaints to Opefin
| Field | Detail |
|---|---|
| complaints@opefin.com | |
| What to include | Your name, a description of the concern, and any relevant dates or reference numbers. |
| Our response | Within 30 days. |
6.3 Complaints to the OAIC
| Contact | Detail |
|---|---|
| Website | oaic.gov.au |
| Online complaint form | oaic.gov.au/privacy/privacy-complaints/ |
| Phone | 1300 363 992 (within Australia) |
| Address | GPO Box 5218, Sydney NSW 2001 |
6.4 CDR complaints
| Body | What they handle |
|---|---|
| OAIC (CDR) | The OAIC handles CDR privacy complaints alongside general privacy complaints. |
| ACCC | For complaints about the CDR framework or accredited data recipient conduct: accc.gov.au |
| AFCA | For complaints about financial institutions involved in your CDR connection: afca.org.au | 1800 931 678 |
Part 7
Australia-specific disclosures
7.1 Reporting Entities and AUSTRAC
Reporting entities using Opefin Source in Australia are supervised by AUSTRAC. They must be enrolled with AUSTRAC, maintain a compliant AML/CTF Programme, and comply with the AML/CTF Act 2006 (Cth) and the AML/CTF Rules 2007.
7.2 Overseas disclosure to New Zealand
Opefin is a New Zealand entity. When you use Opefin Source in Australia, your personal information is transferred to New Zealand for processing. The New Zealand Privacy Act 2020 is broadly equivalent to the Australian Privacy Act 1988 (Cth) and satisfies the APP 8 standard. Where we use sub-processors based in other countries, we require them contractually to protect your information to a standard consistent with the APPs.
7.3 Sensitive information
The transaction data retrieved from your bank accounts may include information about your financial position that could be considered sensitive under APP 3. We treat all financial data retrieved via CDR as sensitive information and apply our highest level of security controls to it.
7.4 Notifiable Data Breaches
Australia’s Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988 (Cth)) requires us to notify both the OAIC and affected individuals if we suffer an eligible data breach likely to result in serious harm. If an eligible data breach occurs, and allowed under law, we will notify the OAIC as soon as practicable, notify affected individuals directly, and provide a statement describing the nature of the breach, the kinds of information involved, and the steps we are taking in response.
7.5 Australian Consumer Law
If you are an individual consumer in Australia, the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) applies to your use of Opefin Source. These laws give you certain guaranteed consumer rights that cannot be excluded by contract. Nothing in our Global Consumer Terms, AU Country Specific Additional Terms, Global Privacy Policy, this notice, or any other Opefin document removes those rights.
7.6 Biometric information
Where the IDV Module is activated, Opefin Source collects biometric information within the meaning of the Privacy Act 1988 (Cth), including a facial image and liveness detection result. This information is processed by our appointed IDV Provider under the IDV Provider’s own privacy framework and explicit consent, which you provide as part of the IDV flow. Opefin receives the verification outcome and may retain your raw biometric information after the verification event if required. Because biometric information is sensitive information under the Privacy Act 1988 (Cth), we obtain your explicit consent before collection and we do not use it for any purpose other than verifying your identity for the AML/CTF certificate.
Part 8
Contact details
| Contact | Details |
|---|---|
| Privacy Officer | Privacy Officer, Opefin Limited |
| privacy@opefin.com | |
| Complaints email | complaints@opefin.com |
| Website | opefin.com |
| Global Privacy Policy | opefin.com/legal/global-privacy-policy |
| NZ Privacy Notice | opefin.com/legal/nz-privacy-notice |
| OAIC (AU privacy regulator) | oaic.gov.au | 1300 363 992 |
| ACCC (CDR) | accc.gov.au |
| AFCA (financial complaints) | afca.org.au | 1800 931 678 |
| AUSTRAC (AML/CTF) | austrac.gov.au |
| Open Banking Provider (AU) | To be confirmed when AU operations commence |
End of Australia Privacy Notice
Version 1.0 | Effective: 1 April 2026 | Opefin Limited (NZBN 9429053433008)
