Legal
Global Privacy Policy
Baseline Policy: All Jurisdictions
Version 1.0 | Effective Date: 1 April 2026 | Last reviewed: 1 April 2026
Opefin Limited (NZBN: 9429053433008) | privacy@opefin.com
| Field | Detail |
|---|---|
| Document type | Global Privacy Policy: Baseline |
| Version | 1.0 |
| Issued by | Opefin Limited |
| NZBN | 9429053433008 |
| Privacy contact | privacy@opefin.com |
| Effective date | 1 April 2026 |
| Last reviewed | 1 April 2026 |
How this policy works
This document is the global baseline privacy policy for Opefin Limited. It applies to everyone who uses Opefin products, regardless of where they are located. It sets out the core rules that apply in every jurisdiction.
Jurisdiction-specific privacy notices sit alongside this baseline and add or replace specific rules that apply in your country. For example, if you are in New Zealand, read this baseline together with the NZ Privacy Notice. If you are in Australia, read it together with the AU Privacy Notice. Links to all current notices are at the end of this document.
If there is a conflict between this baseline and a jurisdiction-specific notice, the jurisdiction-specific notice takes precedence for users in that jurisdiction. This policy is designed so that conflicts do not arise.
Plain language commitment
This policy is written in plain English. Legal terms are explained where they are used. If anything is unclear, contact us at privacy@opefin.com.
Part 1
Who we are and how to contact us
Opefin Limited is a technology company incorporated in New Zealand (Company Number 9403953, NZBN 9429053433008). We operate Opefin Source, an end-to-end AML/CTF compliance platform covering identity verification, source of funds analysis, enhanced due diligence (EDD) screening, risk profiling, ongoing monitoring, and suspicious activity report (SAR) workflow tooling, and the Opefin Compliance Network, through which accredited reporting entities can access verified compliance records with consumer notification.
We are the data controller for all personal information collected when consumers use our services, including when that information is submitted on a consumer’s behalf by a reporting entity. When a consumer interacts with our platform, whether through a magic link or any other Opefin interface, they agree to these terms and our privacy policy directly, and Opefin is the primary controller of the underlying data. The reporting entity receives the certificate as an output and is responsible for its own obligations under applicable AML/CTF law.
| Contact type | Details |
|---|---|
| General contact | hello@opefin.com |
| Privacy queries | privacy@opefin.com |
| Complaints | complaints@opefin.com |
| Website | opefin.com |
| Privacy Officer | Privacy Officer, Opefin Limited |
Part 2
What this policy covers
2.1 Who this policy applies to
This policy applies to:
- consumers who use Opefin Source to generate an AML/CTF certificate, whether directly via a magic link or whose documents are submitted on their behalf by a reporting entity, provided they have accepted these terms and the applicable privacy notice
- reporting entities who use the Opefin platform to initiate certificate requests on behalf of their clients
- anyone who visits opefin.com or contacts us
2.2 What a Reporting Entity is
A Reporting Entity is a professional or business required by AML/CTF law to undertake customer due diligence. This includes but is not limited to financial services providers, lawyers, conveyancers, real estate agents, high value dealers, accountants, and online marketplace operators, and any other entities or individuals engaged in captured activities under applicable AML/CTF law.
2.3 What Opefin Source does
Opefin Source screens your provided information, and also connects to your financial accounts via a regulated open banking connection (with your consent) or processes documents and information submitted through the platform, and generates a cryptographically signed AML/CTF source of funds certificate. That certificate is used by the requesting reporting entity to satisfy their legal obligation to verify your identity and source of funds.
2.4 What the Opefin Compliance Network is
The Opefin Compliance Network is a core feature of Opefin Source. When your certificate is generated, a verified compliance record associated with it is stored in the Network. Accredited reporting entities can query the Network to verify your identity and compliance status for future transactions, with notification to you and subject to your retained right to remove your record from active queries.
This is a fundamental feature of the service, not a secondary optional use. By accepting these terms, the country specific privacy notice, as well as the Opefin Source Consumer Terms (including each relevant country specific consumer terms), you agree to your certificate and associated verified data being part of the Opefin Compliance Network for the duration of the applicable statutory retention period. The benefit to you is that future reporting entities, including those in other jurisdictions, can verify your identity and source of funds and wealth status instantly, without requiring you to repeat the full AML/CTF process.
Part 3
What data we collect
| Category of data | What it includes | How we get it |
|---|---|---|
| Identity information and biometric data | Your full name, email address, phone number, date of birth, and bank-confirmed account holder status. During identity verification: facial image, liveness check, and identity document scan, processed by our IDV Provider. Opefin receives the verification outcome, and raw biometric data may be retained by Opefin after the verification event. For companies and trusts, entity name and your role and authority within that entity. | Collected when you create an account or start the consent process. |
| Open banking and transaction data | Bank account balances, transaction history, income/expenditure and salary credits, and expenditure patterns, retrieved directly from your bank via a secure open banking connection with your permission. Covers up to 24 months of history depending on the certificate tier. | Collected via your open banking connection at the time of certificate generation. |
| Source of funds narrative | A structured summary of where your money has come from, derived from your transaction data. This is the core analytical output of the certificate. | Generated by Opefin at certificate generation. |
| Identity verification data | Where the IDV Module with government-source identity confirmation is activated. Verified identity outcome from the applicable government identity service. Raw verification data is not retained after the certificate is generated. | Where activated. Generated internally. |
| Financial behaviour analysis | Where the Risk Profiling Module is activated. Derived analytical data about patterns in your financial behaviour used to support the completeness declaration. This is analytical output, not raw transaction data. | Where activated. Generated internally. |
| Compliance Network record | A structured summary record derived from your certificate, held in the Opefin Compliance Network and queryable by accredited reporting entities with your notification. This record is maintained for the statutory retention period. | Generated at certificate creation and held in the Network. |
| Derived and aggregated data | Anonymised or pseudonymised data derived from certificate and transaction data, used for product development, model improvement, and industry analytics. This data does not identify you once anonymised. | Generated internally on an ongoing basis. |
| Technical and usage data | IP address (and all associated data), device type, browser type, session logs, and platform interaction data, collected automatically. | Collected automatically when you use the platform or website. |
| Communications data | Emails, support messages, and other communications you send us. | Collected when you contact us. |
Part 4
Why we use your data
4.1 Primary purpose
The primary reason we collect and use your personal information is to generate an Opefin Source certificate for the reporting entity involved in your transaction and to maintain your verified compliance record in the Opefin Compliance Network.
4.2 Full list of purposes
| Purpose | What it means |
|---|---|
| Certificate generation | To verify your identity, analyse your source of funds, conduct EDD screening where required, generate a risk rating, and produce a cryptographically signed AML/CTF compliance certificate at the request of the reporting entity involved in your transaction. |
| Compliance Network operation | To maintain your verified compliance record in the Opefin Compliance Network, enabling accredited reporting entities to verify your identity and compliance status for future transactions without requiring you to repeat the AML/CTF process. This is a core feature of the service. |
| Product development and improvement | To develop, test, and improve Opefin products and features, train internal models, generate industry analytics and benchmark datasets, and build new compliance infrastructure. Where possible we use anonymised or aggregated data for these purposes. |
| Compliance infrastructure services | To provide verified compliance data services to accredited reporting entities as part of the Opefin Compliance Network, including making your verified record available for query by future reporting entities involved in your transactions. |
| Legal obligation | To comply with applicable AML/CTF law, open banking regulations, regulatory reporting obligations, and any lawful request from authorities. |
| Security and fraud prevention | To detect and prevent fraud, misuse, money laundering, and other unlawful activity, and to protect the security and integrity of our platform. |
| Account and service management | To manage your account, communicate with you about the service, respond to your queries, and provide customer support. |
| Business operations | For internal business purposes including record-keeping, audit, dispute resolution, and business continuity. |
4.3 Lawful bases
We use your data only when we have a valid legal reason to do so. The specific lawful basis applicable in your jurisdiction is set out in the jurisdiction-specific notice for your country.
| Legal basis | What it means | When we use it |
|---|---|---|
| Legal obligation | We are required by law to collect and process certain information to support AML/CTF compliance. | Certificate generation, statutory retention, regulatory reporting. |
| Performance of a contract | We process your data to provide the service you have agreed to use. | Account management, certificate generation, Compliance Network participation. |
| Consent | For open banking data, we rely on your explicit, informed consent given through the Opefin consent process. The disclosed purpose includes certificate generation, Compliance Network record creation, and future re-query by accredited reporting entities. | All open banking data retrieval. |
| Legitimate interests | We use your data where we have a legitimate business interest that is proportionate and does not override your rights. We have assessed these interests before relying on this basis. | Product development, model improvement, analytics, fraud detection, security, Compliance Network operation. |
| Vital interests | In exceptional circumstances involving a serious risk to life or safety. | Emergency situations only. |
What we will never do with your data
We do not sell your personal information. When reporting entities pay to access the Opefin Compliance Network, they are paying for access to a regulated verification infrastructure, not for your data itself. You remain a participant in every transaction that involves your record, and will only share your record with your underlying consent.
We will not share your certificate with any party not involved in your transaction or not accredited to the Opefin Compliance Network.
Part 5
The Opefin Compliance Network
5.1 How the Network works
When your certificate is generated, a verified compliance record is created and held in the Opefin Compliance Network. This record contains the structured data derived from your certificate, including your verified identity, source of funds and wealth status, certificate date, tier, and associated risk profile, and any other information that you provided as part of a previous full due diligence process. It does not contain your full raw bank transaction data, which is governed by the separate retention rules in Part 7.
5.2 Who can query your record
Only accredited reporting entities with an active Opefin enterprise account may query the Network. Accreditation requires agreement to Opefin’s data use terms. Reporting entities can query the Network only in the context of a genuine transaction in which you are involved.
5.3 Notification for Network queries
When an accredited reporting entity queries your Network record, you will receive a notification. Your stored consent, given when you first used Opefin Source, covers Network queries by future accredited reporting entities. You do not need to give fresh consent for each query, but you are notified of each one so you are always aware of who has accessed your record.
5.4 Cross-border access
The Opefin Compliance Network is designed to support cross-border AML/CTF verification. An accredited reporting entity in another jurisdiction may query your Network record if you are involved in a transaction with them. Cross-border queries are subject to the same notification and accreditation requirements. The applicable cross-border transfer mechanisms are set out in Part 6.
5.5 Removal from active Network queries
You may request removal of your record from active Compliance Network queries at any time by contacting privacy@opefin.com. Removal means no future reporting entity can query your record. However, your underlying certificate and associated data must be retained for the statutory period under applicable AML/CTF law. Historical certificate records held by reporting entities who have already accessed your record remain valid and subject to those entities’ own retention obligations. Removal from active queries does not affect those records.
5.6 Commercial model
Reporting entities pay Opefin for access to the Compliance Network infrastructure. This can include subscription access, per-query fees, and setup costs where applicable. These fees are charged for access to the verified compliance infrastructure, not for your personal data. Opefin’s revenue model is infrastructure access, consistent with how payment networks, credit bureaus, and identity verification platforms operate globally.
Your benefit from the Compliance Network
You provide your AML/CTF information once. Future reporting entities can verify you instantly. If you move to a new jurisdiction, change lawyers, buy another property, or open a new account, you may not need to repeat the full AML/CTF process. The Compliance Network is designed to eliminate repeated verification friction while maintaining the integrity of the global AML/CTF framework.
Part 6
Who we share your data with
| Who we share with | Why and how |
|---|---|
| The requesting reporting entity | The lawyer, conveyancer, real estate agent, or other professional involved in your transaction. They receive your completed certificate and are legally required to retain it for the applicable statutory period. |
| Other reporting entities in the same transaction | Where you have consented to the reliance model, your certificate may be shared with other reporting entities involved in the same transaction. You will be informed of all co-relying parties before you consent. |
| Accredited reporting entities querying the Compliance Network | Reporting entities accredited to the Opefin Compliance Network may access your verified compliance record for genuine transactions in which you are involved, with notification to you as described in Part 5. |
| Open banking provider | The accredited open banking intermediary in your jurisdiction. They act under their own terms, which you accept as part of the consent process. |
| IDV Provider (biometric and liveness verification) | Our appointed IDV Provider processes your facial image, liveness check, and identity document scan to verify your identity. The IDV Provider acts under their own privacy framework, which you accept as part of the consent flow. Opefin receives the verification outcome and may retain your raw biometric data. |
| Technology sub-processors | Companies that help us operate our platform. These companies are contractually required to protect your data and may not use it for their own purposes. |
| Law enforcement and regulators | Where required by law or valid legal process. We will notify you before complying unless we are legally prevented from doing so. |
| A buyer of our business | If Opefin is sold or merged, your data may transfer to the new owner. You will be notified and your rights will continue to apply. |
Part 7
International data transfers
Opefin is a New Zealand company and processes data primarily in New Zealand and Australia. The Opefin Compliance Network is designed to facilitate cross-border compliance verification, which means your verified compliance record may be accessed by accredited reporting entities in other jurisdictions.
When we transfer your personal information outside your country, we take steps to ensure it receives protection consistent with applicable privacy law:
- For transfers from the European Economic Area or the UK: we rely on adequacy decisions, standard contractual clauses, or other approved transfer mechanisms under the GDPR or UK GDPR.
- For transfers from New Zealand: transfers outside New Zealand are made only to countries with comparable privacy protection, or under contractual arrangements requiring the recipient to protect the data to the standard of the Privacy Act 2020.
- For transfers from Australia: we comply with the cross-border disclosure provisions of Australian Privacy Principle 8 under the Privacy Act 1988 (Cth).
- For transfers from other jurisdictions: we comply with applicable local law, as specified in the jurisdiction-specific notice for your country.
Details of the specific transfer mechanisms we use are available on request from privacy@opefin.com.
Part 8
How long we keep your data
| Data category | How long we keep it | Why |
|---|---|---|
| Opefin Source certificates | The minimum period required by applicable AML/CTF law in your jurisdiction, as specified in the jurisdiction-specific notice. This is 5 years in New Zealand and 7 years in Australia. | Statutory obligation under applicable AML/CTF law. |
| Compliance Network record | The same period as the underlying certificate, being the applicable statutory retention period. After that period, the record is deleted within 30 days of your request or automatically within 30 days of expiry. | Statutory obligation; Compliance Network operation. |
| Open banking transaction data (raw) | Retained as part of the certificate for the statutory certificate retention period. Full raw bank data not incorporated into any certificate or Compliance Network record is deleted within 30 days of certificate generation. | Statutory period for incorporated data; 30 days for non-incorporated data. |
| Derived and anonymised data | Retained indefinitely for product development, analytics, and model training purposes. Once data is genuinely anonymised, it is no longer personal information and is not subject to deletion rights. Data is treated as genuinely anonymised only where it has been irreversibly stripped of identifiers so that no individual can be re-identified, directly or indirectly, by Opefin or by a recipient using means reasonably likely to be available, assessed in line with guidance from the Office of the Privacy Commissioner (NZ) and the Office of the Australian Information Commissioner. | Legitimate interests in product improvement and industry analytics. |
| Consent records | The statutory period applicable in your jurisdiction, as specified in the jurisdiction-specific notice. | Applicable AML/CTF law and open banking regulations. |
| Certificate audit log | The statutory period applicable in your jurisdiction. | Applicable AML/CTF law. |
| Account and profile information | Duration of your account, plus 2 years after closure. | Legitimate interests in dispute resolution. |
| Communications | 3 years from the date of the communication. | Legitimate interests in record-keeping. |
| Technical and usage data | 12 months from collection, unless retained longer for security investigation purposes. | Legitimate interests in platform security. |
Why we cannot always delete your data when you ask
AML/CTF law requires retention of source of funds records for a minimum statutory period, which varies by jurisdiction. If you ask us to delete your certificate or Compliance Network record during the statutory period, we may not be able to comply. We will always tell you if this applies. Once the statutory period has passed, we will delete the data within 30 days of your request. Derived and anonymised data is not subject to deletion rights because it is no longer personal information.
Part 9
Your rights
You have the following rights over your personal information. Which rights apply and how they work in practice depends on your location and applicable law. Your jurisdiction-specific notice sets out any variations.
| Right | What it means |
|---|---|
| Right to know | You can ask us for a copy of the personal information we hold about you. We will provide it within 20 working days or the period required by local law, whichever is shorter. |
| Right to correct | If the information we hold is wrong, you can ask us to correct it. If the inaccurate data has been included in a certificate already delivered to a reporting entity, we will notify you and, where possible, notify that reporting entity. |
| Right to delete | You can ask us to delete your personal information. We will do so unless we are legally required to keep it. Anonymised or derived data is not subject to deletion rights. |
| Right to remove from active Network queries | You can request that your verified compliance record be removed from active queries in the Opefin Compliance Network at any time. This does not delete the underlying certificate, which must be retained for the statutory period. |
| Right to restrict | You can ask us to limit how we use your data in certain circumstances, for example while a correction request is being assessed. |
| Right to portability | You can ask us to provide your personal information in a reasonable format of our choice so you can transfer it to another provider. This right applies where processing is based on your consent or a contract. |
| Right to object | You can object to us processing your data on the basis of legitimate interests. If you object, we will stop unless we can demonstrate compelling grounds that override your objection. |
| Right not to be discriminated against | We will not treat you differently or provide a lower quality of service because you exercised a privacy right. |
| Right to withdraw consent | Where processing is based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Right to complain | You have the right to complain to the privacy regulator in your jurisdiction. The relevant authority is set out in the jurisdiction-specific notice for your country. |
9.1 How to exercise your rights
Contact us at privacy@opefin.com. Include your full name, the email address associated with your Opefin account, and a description of the right you want to exercise. We may ask you to verify your identity before we process your request. We will acknowledge your request within 10 working days and respond within 20 working days or the period required by applicable law, whichever is shorter.
9.2 Complaints
If you are not satisfied with how we have handled your personal information, contact us first at complaints@opefin.com. We will respond within 20 working days. You also have the right to complain to the privacy regulator in your jurisdiction. The relevant authority is set out in the jurisdiction-specific notice for your country.
Part 10
Security
We take the security of your personal information seriously. The measures we apply include:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
- Multi-factor authentication for all staff access to production systems.
- Role-based access controls limiting which staff can access which data.
- Regular penetration testing and vulnerability assessments.
- Cryptographic signing and hash-anchoring of certificates so any tampering is immediately detectable.
- Staff training on data security and privacy obligations.
Full details of our technical and organisational security measures are set out in our Security Policy, available on request from privacy@opefin.com.
10.1 If something goes wrong
If we suffer a breach that affects your personal information and poses a real risk of harm to you, we will notify the relevant privacy regulator within 72 hours of becoming aware (where required by applicable law), notify you directly as soon as practicable, and explain what happened, what data was affected, and what we are doing about it (if such notification is allowed under law).
Part 11
Cookies and tracking
| Cookie type | What it does |
|---|---|
| Strictly necessary cookies | Required for the platform to function. They manage your session, keep you logged in, and remember your consent choices. You cannot opt out of these without also opting out of using the platform. |
| Analytics cookies | Help us understand how people use the platform so we can improve it. We use anonymised data. |
| Security cookies | Help us detect and prevent fraud and abuse. Essential to the integrity of the certificate process. |
| Preference cookies | Remember your settings such as language and notification preferences. Optional but improve your experience. |
You can manage cookie preferences through your browser settings at any time. Blocking strictly necessary cookies will prevent you from using the Opefin platform.
Part 12
Children
Opefin Source is not intended for use by anyone under the age of 18 (or the age of majority in a particular jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a person under 18, we will delete it promptly. If you are a parent or guardian and believe your child has provided us with personal information, contact us at privacy@opefin.com.
Part 13
Changes to this policy
We may update this policy from time to time as our products develop, as we expand into new jurisdictions, or as the law changes. The current version is always available at opefin.com/legal/global-privacy-policy.
We will notify you of material changes by email at least 30 days before the change takes effect. For changes required by law or for security reasons, we may implement them immediately and notify you as soon as practicable. If you continue to use the Opefin platform after a change takes effect, you accept the updated policy.
Part 14
Jurisdiction-specific privacy notices
| Jurisdiction | Notice name | Where to find it |
|---|---|---|
| New Zealand | NZ Privacy Notice | opefin.com/legal/nz-privacy-notice |
| Australia | AU Privacy Notice | opefin.com/legal/au-privacy-notice |
Part 15
Key terms used in this policy
| Term | Meaning |
|---|---|
| AML/CTF law | Anti-money laundering and countering the financing of terrorism legislation in the relevant jurisdiction. |
| Certificate | A cryptographically signed compliance record generated by Opefin Source, summarising the results of activated modules including identity verification, source of funds analysis, EDD screening results, and risk rating. |
| Compliance Network record | A structured verified compliance record derived from a certificate and held in the Opefin Compliance Network. |
| Consumer | An individual or business entity who connects their bank accounts via Opefin to generate a certificate. |
| Controller | The entity that decides how and why personal information is processed. For consumer data, Opefin is the primary controller. |
| Customer due diligence (CDD) | The process a reporting entity must follow under AML/CTF law to verify a client's identity and the source of their funds. |
| Opefin Compliance Network | Opefin's regulated verification infrastructure through which accredited reporting entities can access verified compliance records. |
| Opefin Source | The Opefin end-to-end AML/CTF compliance platform, covering identity verification, source of funds analysis, EDD screening, risk profiling, ongoing monitoring, SAR workflow, and the Compliance Network. |
| Open banking connection | A secure, consent-based connection to your bank account facilitated by an accredited open banking provider. |
| Reporting Entity | A professional or business legally required by AML/CTF law to carry out customer due diligence on their clients. |
| Sub-processor | A third party that Opefin engages to help deliver the Opefin Source service. |
End of Global Privacy Policy | Baseline
Version 1.0 | Effective: 1 April 2026 | Opefin Limited (NZBN 9429053433008)
