Opefin

Global General Terms

The foundation document governing all Opefin products and services worldwide

Version 1.0  |  Effective Date: 1 April 2026  |  Applies to all users globally

Governing law: New Zealand  |  Opefin Limited (NZBN: 9429053433008)

Read this first

These Global General Terms form the foundation of your relationship with Opefin. They apply to every person and every business that uses any Opefin product or service, anywhere in the world.

Additional documents layer on top of these terms. Product Terms describe how a specific Opefin product works. Country Addenda adds the legal requirements for your jurisdiction. An Order Form locks in the commercial arrangements if you are a business using Opefin under a formal agreement. Where those documents conflict with these Global General Terms, the documents higher in the hierarchy take precedence. The full hierarchy is set out in clause 2.

Plain language note: We have written these terms to be read and understood, not to obscure your rights. Key obligations and limitations are called out in highlighted boxes. If anything is unclear, contact us at legal@opefin.com.

Part A

About these terms

1. What These Terms Are

These Global General Terms (“GGT”) set out the rules that apply to everyone who uses any Opefin product or service, anywhere in the world. They are not specific to any one product or country. They are the foundation.

When you use any Opefin service, you agree to be bound by these GGT. If you do not agree, you must stop using the service. We will tell you when these terms change and give you a meaningful opportunity to review them before the change takes effect.

Where a change does not reduce your rights or protections, or is otherwise to your benefit, we may make that change with immediate effect without giving you separate prior notice. We will determine this by acting reasonably and in good faith. A change will not be treated as beneficial or neutral if it expands the purposes for which we use your Personal Data, reduces privacy or consumer protection, increases your liability, or limits your remedies. For any change that reduces your rights or protections, or that a Country Addendum or mandatory law requires to be notified, we will give you at least 30 days’ advance notice before it takes effect and, where the change is material and you are a Consumer User, a reasonable opportunity to decline it by closing your Account without penalty.

We may sometimes need to make changes straight away and without telling you in advance. This may happen where we need to follow a law, regulation, court order, or instructions from a regulator; or to protect the security of your account or our services, including to prevent fraud or other financial crime. Where we do this, we will act reasonably and let you know about the change as soon as we can, unless we are not allowed to do so.

If you continue to use any Opefin service after any changes take effect, this means you legally accept and agree to be bound by the updated terms. You are responsible for ensuring that you remain informed of the latest version of the GGT and any other applicable Opefin legal documents, as updated from time to time.

These GGT apply to two types of users:

  • Consumer Users: natural persons using Opefin primarily for personal purposes, and small businesses as further defined in the applicable Country Addendum.
  • Enterprise Users: companies, organisations, trusts, partnerships, and other legal entities or persons accessing Opefin under a formal commercial arrangement governed by a Master Services Agreement and Order Form.

Some clauses apply only to Consumer Users and some only to Enterprise Users. Where a clause applies to both, it says so or is silent on the distinction.

2. How These Documents Work Together

2.1 The Document Structure

Opefin operates a layered legal framework. Each layer supplements the one below it. The documents that apply to you depend on where you are, what product you use, and whether you are a Consumer User or an Enterprise User.

DocumentWhat It CoversWho It Applies To
Global General Terms (this document)Foundation rules that apply to all users, all products, and all countries and jurisdictions. Contains the global data protection module.All users
Product TermsRules specific to a particular Opefin product, covering what the product does, how it works, and the obligations specific to using it. Divided into Consumer Terms and Enterprise Terms for each product.Users of that product
Country AddendumCountry/jurisdiction-specific, as well as product/services specific requirements that supplement the GGT and Product Terms for users in a particular country or region. Covers local law, local data protection requirements, and local consumer rights among other things.Users in that jurisdiction/country
Order Form (Enterprise Users only)The commercial document that specifies the product, fees, term, volume, Special Clauses, and any other agreed commercial terms for a specific Enterprise User engagement. Includes Product/Service Schedules describing the specific product configuration.Enterprise Users only

2.2 Precedence

All Opefin documents are designed to work together without conflict. Where a conflict does arise, the document higher in the following order takes precedence:

  • First: Order Form Special Clauses (highest).
  • Second: Country Addendum.
  • Third: Global Product Terms (Global Consumer Terms or Enterprise Terms, as applicable).
  • Fourth: These Global General Terms (lowest in the hierarchy).

A document higher in the hierarchy overrides a lower document only to the extent of the conflict. Everything else in the lower document continues to apply.

2.3 Special Clauses

An Order Form may contain Special Clauses. A Special Clause is a bespoke term that modifies, supplements, or overrides any other Opefin document for that specific Enterprise User. Special Clauses must be in writing, signed by both parties, and clearly identified as Special Clauses in the Order Form. Special Clauses in a particular Order Form do not affect other Enterprise Users and do not create any general precedent, and are unique to only that Order Form and the applicable Enterprise User. A Special Clause cannot override clause 2.4 (Mandatory Local Law) or any mandatory consumer or data-protection right, and cannot reduce the protections owed to Consumer Users under the applicable Consumer Terms, Country Addendum, or Privacy Notice. To the extent a Special Clause purports to do so, it is ineffective to that extent.

2.4 Mandatory Local Law

Nothing in these GGT or any other Opefin document limits or removes rights you have under mandatory laws in your jurisdiction that cannot be waived by contract. Where a mandatory law gives you a right that is greater than what these GGT provide, that right applies to you regardless of what these GGT say. Country Addenda set out the specific mandatory law provisions for each jurisdiction where Opefin operates.

3. Definitions

The following words have the meanings set out below throughout these GGT and, unless a different meaning is given, throughout all other Opefin documents.

TermMeaning
AccountA registered user profile on the Platform, created when a User signs up to use the Service.
Applicable LawAll laws, statutes, regulations, codes, binding guidance, and judicial decisions applicable to a party's activities, in the jurisdiction where that party operates or where the relevant activity takes place.
Consumer UserA natural person using the Service primarily for personal usage. In some jurisdictions, small businesses that qualify as consumers under Applicable Law are also treated as Consumer Users as further specified in the relevant Country Addendum.
ContentInformation, data, documents, images, or other materials submitted or uploaded to the Platform by a User.
ControllerThe natural person or legal entity that, alone or jointly with others, determines the purposes and means of processing Personal Data. In some jurisdictions referred to as a 'data controller', 'information holder', or equivalent.
Country AddendumA country/jurisdiction-specific document that supplements these GGT and the applicable Product Terms for users in a particular country or region (for example, the NZ or AU Specific Additional Consumer Terms).
Data BreachA confirmed or reasonably suspected security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that Opefin processes.
Data Processing Agreement (DPA)The agreement governing the handling of Personal Data in connection with Opefin Products. It sets out Opefin's obligations as primary Controller of Consumer Data collected through the Opefin Source consent process, the Enterprise User's obligations as downstream Controller of Certificates delivered to it, and the narrow scope in which Opefin acts as Processor on the Enterprise User's instructions.
Data SubjectThe identified or identifiable natural person to whom Personal Data relates.
Enterprise UserA company, organisation, trust, partnership, or other legal entity and/or person that accesses the Service under a Master Services Agreement and Order Form. An Enterprise User may also be a Consumer User in certain contexts as further specified in the applicable Product Terms.
FeesThe charges payable by an Enterprise User for the Service, as specified in an Order Form.
Force Majeure EventAny event or circumstance beyond a party's reasonable control that prevents or delays performance of an obligation, including natural disasters, pandemics, acts of war or terrorism, government actions, power failures, and failures of third-party infrastructure that the party does not control.
Global General Terms (GGT)This document, as updated from time to time in accordance with clause 28.
Home JurisdictionNew Zealand, being the jurisdiction of Opefin's primary incorporation. Where a Country Addendum designates a different Opefin contracting entity for that jurisdiction, the Home Jurisdiction for that Country Addendum is specified in it.
Intellectual Property RightsAll present and future rights in copyright, patents, trade marks, service marks, designs, trade secrets, know-how, database rights, and all other intellectual or industrial property rights, whether registered or unregistered, in any jurisdiction worldwide.
LossesAll direct and reasonably foreseeable losses, damages, liabilities, costs, and expenses, including reasonable legal fees.
Master Services Agreement (MSA)The commercial agreement between Opefin and an Enterprise User that, together with an Order Form and the applicable Product Terms and GGT, governs the Enterprise User's access to the Service.
Opefin / we / us / ourOpefin Limited (incorporated in New Zealand, Company Number 9403953, NZBN: 9429053433008) and any affiliated entities through which Opefin delivers the Service in other jurisdictions. Where a Country Addendum names a different contracting entity, references to 'Opefin' in that Country Addendum mean that entity.
Order FormA commercial document signed by Opefin and an Enterprise User that specifies the Product, Fees, Service Term, volume, Special Clauses, and other commercial terms for a specific engagement. An Order Form may incorporate one or more Product Schedules.
Personal DataAny information relating to an identified or identifiable natural person. This term is intended to be read at least as broadly as 'personal information', 'personally identifiable information', or equivalent terms under Applicable Law. Where Applicable Law requires a broader meaning, that meaning applies.
PlatformOpefin's websites, web applications, mobile applications, APIs, software development kits, and associated technology infrastructure through which the Service is delivered.
Privacy NoticeThe global as well as jurisdiction-specific document that provides users with detailed information about how Opefin handles their Personal Data in that jurisdiction, supplementing the Data Protection Module in Part E of these GGT.
ProcessingAny operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, adaptation, retrieval, consultation, transmission, restriction, erasure, or destruction.
ProcessorA natural person or legal entity that processes Personal Data on behalf of, and under the instructions of, a Controller. In some jurisdictions referred to as a 'data processor' or equivalent.
ProductA specific service, platform, feature, or solution offered by Opefin, as described in the applicable Product Terms.
Product ScheduleA document forming part of or attached to an Order Form that describes the specific Product, configuration, pricing, and commercial terms for that Product.
Product TermsThe document that contains the terms and conditions specific to a particular Opefin Product, supplementing these GGT. Typically divided into Consumer Terms and Enterprise Terms.
ServiceAll Products, features, and capabilities made available by Opefin through the Platform from time to time.
Special ClausesBespoke terms included in an Order Form, agreed in writing between Opefin and an Enterprise User, that modify or supplement any other Opefin document for that specific engagement, as described in clause 2.3.
Sub-processorA third-party organisation engaged by Opefin, in its capacity as Processor, to carry out specific Personal Data processing activities on Opefin's behalf.
User / you / yourAny natural person or legal entity that accesses or uses the Platform or Service in any capacity, including Consumer Users and Enterprise Users.

Part B

Accessing Opefin

4. Who May Use Opefin

4.1 Eligibility

To use the Service, you must: (a) be at least 18 years of age, or the age of majority in your jurisdiction if that is higher; (b) have the legal capacity to enter into a binding agreement; and (c) not be prohibited from using the Service under Applicable Law or by a previous suspension or termination of your Account.

If you are accessing the Service on behalf of a company, organisation, or other legal entity, you represent and warrant that you are authorised to bind that entity to these GGT and all other applicable Opefin legal documents. The entity you represent becomes the User and is bound by these terms.

4.2 Business Users Accessing Consumer Products

Where a legal entity (such as a company or trust) uses a Product that is primarily designed for natural persons (for example, connecting the entity’s business bank accounts through an open banking flow), the legal entity is nonetheless bound by these GGT as a User. The person completing the authentication flow on behalf of the entity represents and warrants that they are authorised to do so and that the entity consents to the data access that results.

4.3 Compliance with Laws

You are responsible for complying with all Applicable Laws when using the Service. We do not represent that the Service is suitable for use in all jurisdictions. If you are unsure whether using the Service is lawful in your jurisdiction, you should seek independent legal advice before using it.

5. Account Registration

5.1 Creating and using an Account

Most features of the Service require you to create an Account. When creating an Account, you must provide information that is complete, accurate, and up to date.

To use the Service, you must provide all information reasonably requested for its purposes, including identity verification and compliance with anti-money laundering or counter- terrorism financing requirements. This includes details of any relevant financial accounts or services connected to you. Where the Identity Verification Module is activated, using the Service involves biometric verification through a third-party identity verification provider. That provider processes your biometric data under its own privacy framework, which you will be asked to accept. You must not withhold, limit, or restrict any information that is reasonably required.

Providing complete and accurate information is a condition of using the Service. Failure to do so will be considered a serious breach of these terms and may result in suspension or termination of your Account. Such a breach could also have legal consequences, including potential criminal liability under applicable anti-money laundering and counter-terrorism financing laws.

You must keep your Account information up to date, correct any errors promptly, and provide any additional information or documents reasonably requested to continue using the Service.

5.2 One Account Per User

Unless we agree otherwise in writing, each User may hold one Account. Creating multiple Accounts to circumvent restrictions, quotas, or suspensions is prohibited.

5.3 Business Accounts

Where you create an Account on behalf of a legal entity, the Account belongs to that entity. If the individual who created the Account leaves the organisation, the entity retains ownership of the Account and its data. The entity is responsible for ensuring that access credentials are transferred or revoked appropriately.

5.4 Account Suspension

We may immediately suspend or restrict your Account where we have reasonable grounds to believe that you have breached these GGT, engaged in fraudulent or unlawful conduct, or where we are required to do so by Applicable Law or a competent authority. We will tell you that your Account has been suspended and, where it is lawful to do so, why. If you believe a suspension is in error, contact us at hello@opefin.com.

6. Account Security

6.1 Your Responsibility

You are responsible for maintaining the confidentiality of your Account credentials and for all activity that occurs under your Account. You must use a strong password, enable multi-factor authentication where it is offered, and promptly notify us at security@opefin.com if you suspect that your Account has been compromised.

6.2 No Sharing

You must not share your Account credentials with any other person. If you are an Enterprise User, you must ensure that only Authorised Users (as defined in your Order Form) access the Service using your Account credentials.

6.3 Our Role

We take reasonable steps to protect the security of our Platform. However, we cannot guarantee that the Service will be free from all security vulnerabilities. You access the Service at your own risk to the extent permitted by Applicable Law. Our security obligations and the technical and organisational measures we maintain are described in our Security Policy and, for Enterprise Users, in the Data Processing Agreement.

Part C

Using Opefin responsibly

7. Standards That Apply to All Users

We expect every User of the Service to act honestly, responsibly, and in accordance with Applicable Law. The following standards apply to all Users at all times:

  • Use the Service only for its intended purpose as described in the applicable Product Terms.
  • Provide accurate and complete information when using the Service and when creating or maintaining your Account.
  • Respect the privacy of other people whose information may be accessible through the Service.
  • Cooperate with any verification or identity checks we are required to conduct under Applicable Law.
  • Comply with all reasonable instructions, notices, and updates we publish about how to use the Service safely and appropriately.
  • Report any suspected security vulnerability or misuse of the Service to security@opefin.com promptly.

8. Conduct We Will Not Tolerate

Prohibited conduct

The following conduct is prohibited for all Users. Engaging in any of it may result in immediate suspension or termination of your Account and, where appropriate, referral to law enforcement or regulatory authorities: using the Service to process Personal Data belonging to another person without their valid, informed consent; attempting to gain unauthorised access to any part of the Platform; introducing malware, viruses, exploits, or malicious code; using automated tools to place unreasonable load on our systems or circumvent security controls; facilitating any fraudulent, deceptive, or unlawful activity, including document fraud, identity fraud, or money laundering; reverse engineering or extracting Opefin’s proprietary algorithms, models, or source code; reselling or sublicensing access without our written consent; discriminating against any person on the basis of a protected characteristic; or publishing unlawful, defamatory, obscene, or infringing content.

Specific additional prohibitions applying to Enterprise Users are set out in the applicable Product Terms and, where relevant, the Acceptable Use Policy.

Part D

Intellectual property

9. Opefin’s Intellectual Property

9.1 Ownership

Opefin owns all Intellectual Property Rights in the Platform, the Service, our software, algorithms, models, proprietary data pipelines, certificate templates, cryptographic infrastructure, documentation, and all improvements and derivative works of any of them. These rights belong to Opefin regardless of where in the world they arise.

9.2 Licence to You

We grant you a limited, non-exclusive, non-transferable, immediately revocable licence to access and use the Service during the period your Account is active, solely for the purposes described in the applicable Product Terms and in accordance with these GGT. This licence does not transfer ownership of anything to you and cannot be sublicensed without our written consent.

9.3 Restrictions

You must not: (a) copy, modify, translate, or create derivative works from any part of the Platform or Service; (b) remove or obscure any proprietary notices, trade marks, or copyright notices; (c) use Opefin’s name, trade marks, or branding without our prior written consent; or (d) use the Service to build, train, or operate a competing product.

9.4 Open Source

Certain components of our Platform may use open source software. Where they do, the relevant open source licences apply to those components. Nothing in these GGT overrides an open source licence to the extent that licence grants you rights in open source components.

10. Your Content

10.1 You Retain Ownership

You retain ownership of Content you submit to the Platform. We do not claim ownership of your Content.

10.2 Licence from You to Us

By submitting Content to the Platform, you grant us a worldwide, royalty-free, non-exclusive licence to: (a) use, store, process, and display your Content to the extent necessary to provide the Service, including all activated Modules of Opefin Source; (b) derive anonymised, aggregated, or pseudonymised data from your Content and use that derived data without restriction for product development, model improvement, new products and features, industry analytics, and other commercial purposes, provided that derived data does not identify you; and (c) retain and use structured compliance data derived from your Content as part of the Opefin Compliance Network in accordance with the applicable Product Terms and Privacy Notice. The licence in (a) ends when we delete your Content. The licences in (b) and (c) survive deletion to the extent that the derived data no longer constitutes personal information.

10.3 Your Representations

By submitting Content, you represent and warrant that: (a) you have the right to submit it; (b) submitting it does not breach any third-party rights or any Applicable Law; and (c) it is accurate to the best of your knowledge.

11. Feedback and Suggestions

If you provide us with suggestions, ideas, or feedback about the Service, you grant us a perpetual, worldwide, irrevocable, royalty-free licence to use that feedback without restriction, attribution, or compensation. We are not obliged to act on any feedback you provide.

Part E

Data protection — global module

How this module works

This module sets out Opefin’s global data protection principles. It is designed to meet or exceed the requirements of data protection laws in all jurisdictions where Opefin operates, including the GDPR (EU/UK), the Privacy Act 2020 (New Zealand), the Privacy Act 1988 (Australia), PIPEDA (Canada), the PDPA (Singapore), and the CCPA (United States).

Where a Country Addendum is in place for your jurisdiction, it supplements this module with jurisdiction-specific requirements. A Privacy Notice for your jurisdiction provides the user-facing information you are entitled to receive under Applicable Law. For Enterprise Users, the Data Processing Agreement governs Opefin’s processing of Personal Data on your behalf as your Processor.

12. Our Role in Handling Your Data

12.1 When We Are the Controller

When we collect and use Personal Data about you to manage your Account, provide the Service, communicate with you, improve our products, operate the Opefin Compliance Network, or for any other purpose described in these GGT or the applicable Privacy Notice, we act as the Controller. For Personal Data collected from consumers through the Opefin Source consent process, including data submitted via a magic link or any other Opefin interface, Opefin is the primary Controller regardless of which Reporting Entity initiated the certificate request. The Reporting Entity is the Controller only of the completed certificate once delivered to them.

12.2 When We Are the Processor

In the narrow scope where an Enterprise User provides supplementary instructions to Opefin for the purpose of generating a specific Certificate output, Opefin processes that supplementary data as Processor on the Enterprise User’s instructions, and the Enterprise User is the Controller for that supplementary data. The Data Processing Agreement defines the boundary between these two roles precisely.

12.3 The Data Processing Agreement

For Enterprise Users where we act as Processor, we will execute a Data Processing Agreement with you before we process any Personal Data on your behalf. The DPA sets out the specific obligations we each have, the categories of data processed, the processing activities, security measures, and sub-processor arrangements. The DPA supplements but does not replace this module.

13. What Personal Data We Collect and Why

13.1 Categories of Personal Data

The specific Personal Data we collect depends on the Product you use and is described in detail in the applicable Product Terms and Privacy Notice. At a general level, we may collect: identity data; contact data; financial data (bank account information, transaction details and history, account balances, where you have authorised access through an open banking connection); account data; technical data (IP addresses, device identifiers, location, browser types); communications data; and biometric data (liveness detection results, facial match scores, and identity document scans, where the IDV Module is activated). Biometric data is processed by Opefin’s IDV Provider under their own privacy framework; Opefin retains the verification outcome only.

13.2 How We Use It

We use Personal Data only for the purposes described in these GGT, the applicable Product Terms, and the applicable Privacy Notice: providing and operating the Service; verifying user identity and preventing unlawful activities such as money laundering, terrorist financing and fraud; operating the Opefin Compliance Network and making verified compliance records available to accredited Reporting Entities with notification to the Data Subject; developing, training, and improving Opefin products and models using derived and anonymised data; generating industry analytics using anonymised data; complying with our legal obligations; and communicating with you about the Service.

13.3 Data Minimisation

We collect and retain only the Personal Data that is necessary for the purposes for which it is processed. Where we can use anonymised or aggregated data to achieve a purpose, we prefer that over personal data. Data that has been genuinely anonymised is no longer Personal Data and may be retained and used indefinitely for product development, analytics, and model training purposes without being subject to data protection obligations.

14. Lawful Bases for Processing

We process your Personal Data only where we have a lawful basis for doing so. The main lawful bases we rely on are:

Lawful BasisWhen We Rely on ItExample
Contract performanceProcessing is necessary to provide the Service you have requested or to take steps before entering into an agreement with you.Processing bank account data to generate a source of funds and source of wealth certificate you or your Enterprise User requested.
Legal obligationProcessing is necessary for us to comply with a legal obligation that applies to us.Retaining records to satisfy regulatory requirements; responding to lawful requests from authorities.
Legitimate interestsProcessing is necessary for our legitimate business interests, provided those interests are not overridden by your rights.Fraud and unlawful behaviour detection; platform security; improving our products using derived anonymised datasets; operating the Compliance Network; industry analytics.
ConsentYou have provided your clear, specific, and freely given consent to the processing for a particular purpose.Accessing your bank accounts through an open banking connection; marketing communications.
Vital interestsProcessing is necessary to protect someone's life in an emergency.Applicable only in genuine emergency situations.

Where we rely on consent, you have the right to withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal. Some processing does not depend on your consent: processing necessary to meet our AML/CTF and other legal obligations, and processing under our legitimate interests (including operating the Compliance Network and improving our products using derived, de-identified data), continues on those bases even if you withdraw consent to optional processing such as open banking access.

15. Your Data Rights

You have the following rights regarding Personal Data we hold about you. How to exercise these rights, the timeframes that apply, and any exceptions are set out in clause 15.2 and, in more detail, in the Privacy Notice for your jurisdiction.

RightWhat It Means
AccessAsk us to confirm whether we hold Personal Data about you and, if so, to provide a copy of it.
RectificationAsk us to correct inaccurate or incomplete Personal Data we hold about you.
Erasure (right to be forgotten)Ask us to delete your Personal Data. This right is not absolute; we may need to retain data to comply with legal obligations. We will tell you if we cannot erase data and why, to the extent lawful.
RestrictionAsk us to suspend processing of your Personal Data in certain circumstances, for example while we investigate a dispute about its accuracy.
PortabilityReceive Personal Data you have provided to us in a structured, commonly used, machine-readable format, where technically feasible.
ObjectionObject to us processing your Personal Data where we rely on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
Withdraw consentWithdraw consent to processing at any time where consent is our lawful basis. This does not affect prior processing.
No automated decision-makingNot be subject to a decision based solely on automated processing that produces a significant legal or similarly significant effect on you, without human review.
Non-discriminationExercise your data rights without being discriminated against in the Service we provide to you.
Complain to a regulatorLodge a complaint with the competent data protection supervisory authority in your jurisdiction, identified in the Privacy Notice for your jurisdiction.

15.2 How to Exercise Your Rights

To exercise any right, contact our Privacy Officer at privacy@opefin.com. Include your name, Account details, and a description of the right you wish to exercise. We will respond within 30 days of receiving your request, or within the shorter period required by Applicable Law. We may ask you to verify your identity before processing the request. We will not charge a fee for responding except where Applicable Law permits us to do so for excessive or repetitive requests.

16. How We Protect Your Data

We implement and maintain technical and organisational measures appropriate to the risk presented by our processing of Personal Data, designed to protect against unauthorised access, disclosure, loss, destruction, or alteration. Our specific security measures are described in our Security Policy. For Enterprise Users, the specific measures applicable to Consumer Data processing are set out in Schedule 2 of the Data Processing Agreement. Despite our security measures, no system is completely secure. If you become aware of any security vulnerability or incident, please report it to security@opefin.com immediately.

17. How Long We Keep Your Data

We retain Personal Data for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, enforce our agreements, and for other legitimate business purposes. Retention periods for specific categories are set out in the applicable Product Terms and Privacy Notice. Data held in the Opefin Compliance Network is retained for the statutory period applicable in the relevant jurisdiction and deleted within 30 days of that period expiring or of a valid removal request received after the period has expired. Data that has been genuinely anonymised is no longer Personal Data and may be retained and used indefinitely. You may request deletion under clause 15; we may decline to the extent that retention is permitted or required by Applicable Law.

18. Cross-Border Data Transfers

18.1 Data May Be Transferred Internationally

Opefin operates globally. Your Personal Data may be transferred to, stored in, or processed in countries other than the country where you are located. These countries may have data protection laws that are different from the laws of your country.

18.2 Our Transfer Safeguards

If we transfer Personal Data to a country not recognised as providing an adequate level of data protection, we put in place appropriate safeguards, which may include: adequacy decisions; standard contractual clauses (or equivalent) approved by the relevant authority; binding corporate rules where transfers occur within the Opefin group; and other legally recognised transfer mechanisms applicable under Applicable Law.

18.3 Country-Specific Transfer Mechanisms

The specific transfer mechanisms applicable in your jurisdiction are described in the Privacy Notice for that jurisdiction. Where Applicable Law requires additional safeguards, the Country Addendum sets these out.

19. Data Breach Notification

19.1 Our Commitment

Where we experience a Data Breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant competent supervisory authority within the timeframe required by Applicable Law (and in any event within 72 hours of becoming aware where that is the applicable standard). Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

19.2 Enterprise User Notification

Where a Data Breach involves Personal Data that we process on behalf of an Enterprise User, we will notify the Enterprise User without undue delay and in accordance with the timeframe specified in the Data Processing Agreement. The Enterprise User is responsible for notifying affected Data Subjects and the relevant supervisory authority in its capacity as Controller.

19.3 No Admission

Notifying you or a supervisory authority of a Data Breach is not an admission of fault or liability on our part.

Part F

Consumer protections

The protections in this Part apply to all Consumer Users. Where a Country Addendum provides stronger or additional consumer protections required by Applicable Law, those apply in addition to this Part. Nothing in this Part limits any mandatory consumer protection rights you have under the laws of your jurisdiction.

20. Our Commitment to Consumer Users

20.1 Acting in Your Interests

We design our products and services to deliver adequate outcomes for you. We will be honest and transparent about what our products do, what they do not (or cannot) do, and any limitations or risks that matter to you. We will not use design, language, or communication techniques that exploit your psychology, create false urgency, or lead you to make decisions that are not in your interests.

20.2 Clear and Fair Communications

All communications from us to Consumer Users will always attempt to be clear, written in plain language, and not misleading. We will not bury important information in dense legal text. Where a change to our terms or services may affect you, we will communicate that change in a way that allows you to understand it and make an informed decision.

20.3 Right to Make Informed Decisions

Before you use any Opefin product, we will give you the information you need to make an informed decision, including: what the product does and does not do; what data we will access and why; who will receive the outputs; how long data will be retained; and your rights. The applicable Product Terms and Consumer Consent Disclosure Notice provide this information for specific products.

20.4 Fair Pricing

Where we charge Consumer Users for any product or service, the price will be clearly disclosed before you commit. We will not charge hidden fees.

20.5 No Exploitation of Vulnerability

We recognise that some of our users may be in vulnerable circumstances. We will not exploit vulnerability. If you tell us that you need support or additional time, we will do what we reasonably can to accommodate that. See clause 21.

20.6 Easy to Leave

Consumer Users may stop using any Opefin product or service and close your Account at any time, subject to any minimum commitments in your Product Terms. Your rights to data generated about you are set out in clause 15. You will not face penalties for exercising your right to leave unless a specific commitment period is agreed in your Product Terms.

21. Vulnerable Users

Opefin is committed to treating all users with care. If you are experiencing circumstances that affect your ability to use the Service, such as financial hardship, a health condition, bereavement, or another vulnerability, please contact us at hello@opefin.com. We will work with you to try and find a reasonable way to continue to provide the Service, extend timelines, or support your needs if applicable. We will not use information about your vulnerability for purposes beyond supporting you, and we will handle such information with additional care.

22. Complaints and Escalation

22.1 Internal Complaints

If something goes wrong, we want to know about it so we can fix it. You may make a complaint to us at any time by emailing complaints@opefin.com. We will acknowledge your complaint within five Business Days and aim to resolve it within 20 Business Days (or a shorter timeframe as required under Applicable Law). If we need more time, we will tell you and keep you informed.

22.2 External Escalation

If we cannot resolve your complaint to your satisfaction, or if we have not resolved it within 60 Business Days, you have the right to escalate it to: our approved external dispute resolution scheme (details in the Country Addendum for your jurisdiction); the relevant consumer protection authority; or the relevant data protection supervisory authority. External escalation is free of charge to you.

22.3 Online Dispute Resolution

Where required by Applicable Law, information about online dispute resolution platforms available to you is provided in the Country Addendum for your jurisdiction.

Part G

Liability

Important

This Part sets out limits on Opefin’s liability. Nothing in this Part removes or limits your rights under mandatory consumer protection laws in your jurisdiction that cannot be waived by contract. If you are a Consumer User, you retain all rights available to you under the consumer protection laws of your jurisdiction even if those rights are greater than what this Part provides. Enterprise Users should read this Part alongside the liability provisions in the applicable Master Services Agreement and Product Terms.

23. What We Are Responsible For

Opefin will: (a) provide the Service with reasonable skill and care; (b) take reasonable steps to ensure the Platform is available and secure; (c) handle your Personal Data in accordance with these GGT and Applicable Law; and (d) give you reasonable notice of material changes to the Service that may affect you. We are only responsible for Losses you suffer that are directly caused by our breach of these GGT or by our negligence, fraud, or wilful misconduct. We do not exclude liability for death or personal injury directly caused by our negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot be limited or excluded under Applicable Law.

24. Limits on Our Liability

24.1 Excluded Losses

To the fullest extent permitted by Applicable Law, we are not liable for: (a) loss of profits, revenue, business, opportunity, data, or goodwill; (b) indirect, consequential, incidental, or special loss of any kind; or (c) any loss you suffer as a result of decisions you or a third party make based on outputs of the Service, including any regulatory, financial, or legal consequence of those decisions.

24.2 Total Aggregate Liability Cap

To the fullest extent permitted by Applicable Law, our total aggregate liability to you for all claims arising out of or in connection with the Service in any 12-month period is limited to:

  • For Enterprise Users: the total Fees paid by you to Opefin in the 12 months immediately preceding the event giving rise to the claim, as further specified in the applicable MSA.
  • For Consumer Users who pay for the Service: the total amount paid by you for the specific Product or transaction to which the claim relates.
  • For Consumer Users who use the Service at no charge: NZD 10 (or the equivalent in your local currency), unless a higher amount is required under mandatory consumer protection laws in your jurisdiction.

24.3 Mandatory Consumer Rights

The caps and exclusions in this clause 24 do not apply to the extent that they are inconsistent with mandatory consumer protection laws in your jurisdiction. Where those laws provide you with remedies or protections that cannot be waived by contract, this clause does not exclude or limit those remedies or protections. Country Addenda specify the mandatory consumer rights applicable in each jurisdiction.

24.4 Third-Party Services

Our Service depends on third-party providers including open banking providers, identity verification providers, sanctions and PEP screening data providers, and cloud infrastructure providers. These are identified as Sub-processors in the Data Processing Agreement. We are not liable for losses caused by failures, errors, or outages of third-party services that we do not control, provided we have taken reasonable steps in selecting and managing those providers and, where a failure causes disruption, we notify you promptly and work to restore access as soon as practicable.

25. Your Responsibilities to Us

You are responsible for: (a) any Losses we suffer arising from your breach of these GGT, including reasonable legal costs; (b) any claim made against us by a third party arising from your use of the Service in breach of these GGT; and (c) ensuring that Content you submit to the Platform complies with Applicable Law and does not infringe the rights of any third party. Where you are an Enterprise User, your indemnity obligations are set out in greater detail in the applicable Product Terms.

Part H

General provisions

26. Suspension and Termination

26.1 Termination by You

You may stop using the Service and close your Account at any time. If you are a Consumer User, you may close your Account by contacting hello@opefin.com or using the account settings on the Platform. If you are an Enterprise User, termination is governed by your Master Services Agreement and Order Form.

26.2 Termination by Us

We may suspend or terminate your Account and access to the Service: (a) on reasonable notice, for any reason if you are a Consumer User; (b) in accordance with the MSA if you are an Enterprise User; or (c) immediately and without notice if you breach these GGT in a way that causes or risks harm to us, to other Users, or to third parties, or if we are required to do so by Applicable Law or a competent authority.

26.3 Effect of Termination

On termination: (a) your licence to use the Service ends; (b) you must cease all use of the Platform; (c) outstanding obligations (including payment obligations for Enterprise Users) survive termination; and (d) clauses 9 (IP), 10 (Your Content), Part E (Data Protection), Part G (Liability), this clause 26.3, and clauses 27 to 34 survive termination.

27. Amendments and Changes

27.1 Changes to These GGT

We may update these GGT from time to time to reflect changes in the Service, changes in Applicable Law, or improvements to how we operate. We will notify you of material changes by email, by a notice on the Platform, or by another appropriate method, at least 30 days before the change takes effect for existing users.

27.2 Your Options

If you are a Consumer User and you do not accept a material change to these GGT, you may close your Account and stop using the Service before the change takes effect without penalty. If you continue using the Service after the effective date of a change, you are taken to have accepted the updated GGT. If you are an Enterprise User, changes that materially affect your engagement are subject to the process set out in the applicable MSA.

27.3 Product Terms and Country Addenda

Product Terms and Country Addenda may be updated separately. Notification of changes to those documents is provided in those documents.

28. Force Majeure

Neither party is in breach of these GGT or otherwise liable for any delay or failure to perform where that delay or failure is directly caused by a Force Majeure Event, provided the affected party promptly notifies the other party and takes reasonable steps to minimise the impact and resume performance. A Force Majeure Event does not relieve a Reporting Entity of its own regulatory obligations under Applicable Law, including AML/CTF customer due diligence and record-keeping. Opefin will use reasonable endeavours to maintain or promptly restore the AML/CTF-critical functions of the Service, including certificate verification and access to existing compliance records, during any Force Majeure Event. If a Force Majeure Event continues for more than 30 consecutive days and materially prevents Opefin from providing the Service, either party may terminate the affected Service by written notice, without liability for the failure to perform during the Force Majeure period.

29. Governing Law and Jurisdiction

29.1 Governing Law

These GGT and any dispute or claim arising out of or in connection with them are governed by the laws of New Zealand (Opefin’s Home Jurisdiction). This choice of law does not deprive Consumer Users of the protection of mandatory consumer laws in their own jurisdiction.

29.2 Jurisdiction

Any dispute not resolved under clause 30 is subject to the non-exclusive jurisdiction of the courts of New Zealand. This clause does not prevent: (a) Opefin from seeking injunctive or other equitable relief in any jurisdiction; or (b) Consumer Users from bringing proceedings in the courts of their own jurisdiction where Applicable Law gives them the right to do so.

29.3 Jurisdiction-Specific Variation

Where a Country Addendum designates a different governing law or jurisdiction for a specific country, that Country Addendum takes precedence over this clause 29 for users in that country, to the extent required by Applicable Law or for operational reasons specific to that jurisdiction.

30. Dispute Resolution

30.1 First Step: Talk to Us

Before taking formal steps, we encourage you to contact us to try to resolve any dispute informally. Most issues can be resolved quickly and simply. Contact us at complaints@opefin.com.

30.2 Second Step: Formal Complaint

If informal contact does not resolve the issue, Consumer Users should submit a formal complaint in accordance with clause 22. Enterprise Users should follow the dispute resolution process in the applicable MSA.

30.3 Third Step: External Resolution

If a formal complaint is not resolved within the timeframes in clause 22, Consumer Users may escalate to the external dispute resolution scheme or regulatory body identified in the Country Addendum. Enterprise Users may proceed to the dispute resolution mechanism in the MSA (typically good faith negotiation, then mediation, then courts).

30.4 Injunctive Relief

Nothing in this clause 30 prevents either party from seeking urgent injunctive or interim relief from a court at any time.

31. Severance

If any provision of these GGT is found by a court or competent authority to be invalid, unlawful, or unenforceable to any extent, that provision is severed from the remainder of these GGT, which continue in full force and effect. Where possible, the severed provision is replaced with a valid provision that most closely achieves the intended commercial outcome.

32. Entire Agreement

32.1 Complete Agreement

Together with the applicable Product Terms, Country Addendum, and Order Form (for Enterprise Users), these GGT constitute the entire agreement between you and Opefin regarding your use of the Service. They supersede all prior representations, negotiations, and agreements between the parties on the same subject matter.

32.2 No Waiver

Failure by either party to exercise or enforce any right or provision of these GGT does not constitute a waiver of that right or provision. A waiver is effective only if it is given in writing and signed by the waiving party.

32.3 No Third-Party Rights

These GGT do not create any rights in favour of third parties, except that Opefin’s affiliates may enforce confidentiality and indemnity provisions in their favour as third-party beneficiaries to the extent applicable to them.

33. Assignment

You may not assign, transfer, or novate your rights or obligations under these GGT to any third party without our prior written consent. We may assign our rights and obligations under these GGT to an affiliate or to any successor in connection with a merger, acquisition, or sale of substantially all of our assets, on 30 days’ written notice to you. If you are a Consumer User and you do not accept the assignment, you may close your Account before the assignment takes effect.

34. Contact

TopicContact
General legal querieslegal@opefin.com
Privacy Officerprivacy@opefin.com
Security incidentssecurity@opefin.com
Consumer support and complaintshello@opefin.com | complaints@opefin.com
Enterprise legal and commerciallegal@opefin.com
Opefin LimitedNZBN: 9429053433008

The current version of these Global General Terms is always available at opefin.com/legal/global-general-terms. A full list of Opefin’s legal documents, including all Product Terms, Country Addenda, Privacy Notices, and the current version history, is maintained at opefin.com/legal.

End of Global General Terms | Version 1.0 | Opefin Limited

Foundation document for all Opefin products and services