Legal

Global Privacy Policy

Baseline Policy: All Jurisdictions

Version 1.0  |  Effective Date: 1 April 2026  |  Last reviewed: 1 April 2026

Opefin Limited (NZBN: 9429053433008)  |  privacy@opefin.com

FieldDetail
Document typeGlobal Privacy Policy: Baseline
Version1.0
Issued byOpefin Limited
NZBN9429053433008
Privacy contactprivacy@opefin.com
Effective date1 April 2026
Last reviewed1 April 2026

How this policy works

This document is the global baseline privacy policy for Opefin Limited. It applies to everyone who uses Opefin products, regardless of where they are located. It sets out the core rules that apply in every jurisdiction.

Jurisdiction-specific privacy notices sit alongside this baseline and add or replace specific rules that apply in your country. For example, if you are in New Zealand, read this baseline together with the NZ Privacy Notice. If you are in Australia, read it together with the AU Privacy Notice. Links to all current notices are at the end of this document.

If there is a conflict between this baseline and a jurisdiction-specific notice, the jurisdiction-specific notice takes precedence for users in that jurisdiction. This policy is designed so that conflicts do not arise.

Plain language commitment

This policy is written in plain English. Legal terms are explained where they are used. If anything is unclear, contact us at privacy@opefin.com.

Part 1

Who we are and how to contact us

Opefin Limited is a technology company incorporated in New Zealand (Company Number 9403953, NZBN 9429053433008). We operate Opefin Source, an end-to-end AML/CTF compliance platform covering identity verification, source of funds analysis, enhanced due diligence (EDD) screening, risk profiling, ongoing monitoring, and suspicious activity report (SAR) workflow tooling, and the Opefin Compliance Network, through which accredited reporting entities can access verified compliance records with consumer notification.

We are the data controller for all personal information collected when consumers use our services, including when that information is submitted on a consumer’s behalf by a reporting entity. When a consumer interacts with our platform, whether through a magic link or any other Opefin interface, they agree to these terms and our privacy policy directly, and Opefin is the primary controller of the underlying data. The reporting entity receives the certificate as an output and is responsible for its own obligations under applicable AML/CTF law.

Contact typeDetails
General contacthello@opefin.com
Privacy queriesprivacy@opefin.com
Complaintscomplaints@opefin.com
Websiteopefin.com
Privacy OfficerPrivacy Officer, Opefin Limited

Part 2

What this policy covers

2.1 Who this policy applies to

This policy applies to:

  • consumers who use Opefin Source to generate an AML/CTF certificate, whether directly via a magic link or whose documents are submitted on their behalf by a reporting entity, provided they have accepted these terms and the applicable privacy notice
  • reporting entities who use the Opefin platform to initiate certificate requests on behalf of their clients
  • anyone who visits opefin.com or contacts us

2.2 What a Reporting Entity is

A Reporting Entity is a professional or business required by AML/CTF law to undertake customer due diligence. This includes but is not limited to financial services providers, lawyers, conveyancers, real estate agents, high value dealers, accountants, and online marketplace operators, and any other entities or individuals engaged in captured activities under applicable AML/CTF law.

2.3 What Opefin Source does

Opefin Source screens your provided information, and also connects to your financial accounts via a regulated open banking connection (with your consent) or processes documents and information submitted through the platform, and generates a cryptographically signed AML/CTF source of funds certificate. That certificate is used by the requesting reporting entity to satisfy their legal obligation to verify your identity and source of funds.

2.4 What the Opefin Compliance Network is

The Opefin Compliance Network is a core feature of Opefin Source. When your certificate is generated, a verified compliance record associated with it is stored in the Network. Accredited reporting entities can query the Network to verify your identity and compliance status for future transactions, with notification to you and subject to your retained right to remove your record from active queries.

This is a fundamental feature of the service, not a secondary optional use. By accepting these terms, the country specific privacy notice, as well as the Opefin Source Consumer Terms (including each relevant country specific consumer terms), you agree to your certificate and associated verified data being part of the Opefin Compliance Network for the duration of the applicable statutory retention period. The benefit to you is that future reporting entities, including those in other jurisdictions, can verify your identity and source of funds and wealth status instantly, without requiring you to repeat the full AML/CTF process.

Part 3

What data we collect

Category of dataWhat it includesHow we get it
Identity information and biometric dataYour full name, email address, phone number, date of birth, and bank-confirmed account holder status. During identity verification: facial image, liveness check, and identity document scan, processed by our IDV Provider. Opefin receives the verification outcome, and raw biometric data may be retained by Opefin after the verification event. For companies and trusts, entity name and your role and authority within that entity.Collected when you create an account or start the consent process.
Open banking and transaction dataBank account balances, transaction history, income/expenditure and salary credits, and expenditure patterns, retrieved directly from your bank via a secure open banking connection with your permission. Covers up to 24 months of history depending on the certificate tier.Collected via your open banking connection at the time of certificate generation.
Source of funds narrativeA structured summary of where your money has come from, derived from your transaction data. This is the core analytical output of the certificate.Generated by Opefin at certificate generation.
Identity verification dataWhere the IDV Module with government-source identity confirmation is activated. Verified identity outcome from the applicable government identity service. Raw verification data is not retained after the certificate is generated.Where activated. Generated internally.
Financial behaviour analysisWhere the Risk Profiling Module is activated. Derived analytical data about patterns in your financial behaviour used to support the completeness declaration. This is analytical output, not raw transaction data.Where activated. Generated internally.
Compliance Network recordA structured summary record derived from your certificate, held in the Opefin Compliance Network and queryable by accredited reporting entities with your notification. This record is maintained for the statutory retention period.Generated at certificate creation and held in the Network.
Derived and aggregated dataAnonymised or pseudonymised data derived from certificate and transaction data, used for product development, model improvement, and industry analytics. This data does not identify you once anonymised.Generated internally on an ongoing basis.
Technical and usage dataIP address (and all associated data), device type, browser type, session logs, and platform interaction data, collected automatically.Collected automatically when you use the platform or website.
Communications dataEmails, support messages, and other communications you send us.Collected when you contact us.

Part 4

Why we use your data

4.1 Primary purpose

The primary reason we collect and use your personal information is to generate an Opefin Source certificate for the reporting entity involved in your transaction and to maintain your verified compliance record in the Opefin Compliance Network.

4.2 Full list of purposes

PurposeWhat it means
Certificate generationTo verify your identity, analyse your source of funds, conduct EDD screening where required, generate a risk rating, and produce a cryptographically signed AML/CTF compliance certificate at the request of the reporting entity involved in your transaction.
Compliance Network operationTo maintain your verified compliance record in the Opefin Compliance Network, enabling accredited reporting entities to verify your identity and compliance status for future transactions without requiring you to repeat the AML/CTF process. This is a core feature of the service.
Product development and improvementTo develop, test, and improve Opefin products and features, train internal models, generate industry analytics and benchmark datasets, and build new compliance infrastructure. Where possible we use anonymised or aggregated data for these purposes.
Compliance infrastructure servicesTo provide verified compliance data services to accredited reporting entities as part of the Opefin Compliance Network, including making your verified record available for query by future reporting entities involved in your transactions.
Legal obligationTo comply with applicable AML/CTF law, open banking regulations, regulatory reporting obligations, and any lawful request from authorities.
Security and fraud preventionTo detect and prevent fraud, misuse, money laundering, and other unlawful activity, and to protect the security and integrity of our platform.
Account and service managementTo manage your account, communicate with you about the service, respond to your queries, and provide customer support.
Business operationsFor internal business purposes including record-keeping, audit, dispute resolution, and business continuity.

4.3 Lawful bases

We use your data only when we have a valid legal reason to do so. The specific lawful basis applicable in your jurisdiction is set out in the jurisdiction-specific notice for your country.

Legal basisWhat it meansWhen we use it
Legal obligationWe are required by law to collect and process certain information to support AML/CTF compliance.Certificate generation, statutory retention, regulatory reporting.
Performance of a contractWe process your data to provide the service you have agreed to use.Account management, certificate generation, Compliance Network participation.
ConsentFor open banking data, we rely on your explicit, informed consent given through the Opefin consent process. The disclosed purpose includes certificate generation, Compliance Network record creation, and future re-query by accredited reporting entities.All open banking data retrieval.
Legitimate interestsWe use your data where we have a legitimate business interest that is proportionate and does not override your rights. We have assessed these interests before relying on this basis.Product development, model improvement, analytics, fraud detection, security, Compliance Network operation.
Vital interestsIn exceptional circumstances involving a serious risk to life or safety.Emergency situations only.

What we will never do with your data

We do not sell your personal information. When reporting entities pay to access the Opefin Compliance Network, they are paying for access to a regulated verification infrastructure, not for your data itself. You remain a participant in every transaction that involves your record, and will only share your record with your underlying consent.

We will not share your certificate with any party not involved in your transaction or not accredited to the Opefin Compliance Network.

Part 5

The Opefin Compliance Network

5.1 How the Network works

When your certificate is generated, a verified compliance record is created and held in the Opefin Compliance Network. This record contains the structured data derived from your certificate, including your verified identity, source of funds and wealth status, certificate date, tier, and associated risk profile, and any other information that you provided as part of a previous full due diligence process. It does not contain your full raw bank transaction data, which is governed by the separate retention rules in Part 7.

5.2 Who can query your record

Only accredited reporting entities with an active Opefin enterprise account may query the Network. Accreditation requires agreement to Opefin’s data use terms. Reporting entities can query the Network only in the context of a genuine transaction in which you are involved.

5.3 Notification for Network queries

When an accredited reporting entity queries your Network record, you will receive a notification. Your stored consent, given when you first used Opefin Source, covers Network queries by future accredited reporting entities. You do not need to give fresh consent for each query, but you are notified of each one so you are always aware of who has accessed your record.

5.4 Cross-border access

The Opefin Compliance Network is designed to support cross-border AML/CTF verification. An accredited reporting entity in another jurisdiction may query your Network record if you are involved in a transaction with them. Cross-border queries are subject to the same notification and accreditation requirements. The applicable cross-border transfer mechanisms are set out in Part 6.

5.5 Removal from active Network queries

You may request removal of your record from active Compliance Network queries at any time by contacting privacy@opefin.com. Removal means no future reporting entity can query your record. However, your underlying certificate and associated data must be retained for the statutory period under applicable AML/CTF law. Historical certificate records held by reporting entities who have already accessed your record remain valid and subject to those entities’ own retention obligations. Removal from active queries does not affect those records.

5.6 Commercial model

Reporting entities pay Opefin for access to the Compliance Network infrastructure. This can include subscription access, per-query fees, and setup costs where applicable. These fees are charged for access to the verified compliance infrastructure, not for your personal data. Opefin’s revenue model is infrastructure access, consistent with how payment networks, credit bureaus, and identity verification platforms operate globally.

Your benefit from the Compliance Network

You provide your AML/CTF information once. Future reporting entities can verify you instantly. If you move to a new jurisdiction, change lawyers, buy another property, or open a new account, you may not need to repeat the full AML/CTF process. The Compliance Network is designed to eliminate repeated verification friction while maintaining the integrity of the global AML/CTF framework.

Part 6

Who we share your data with

Who we share withWhy and how
The requesting reporting entityThe lawyer, conveyancer, real estate agent, or other professional involved in your transaction. They receive your completed certificate and are legally required to retain it for the applicable statutory period.
Other reporting entities in the same transactionWhere you have consented to the reliance model, your certificate may be shared with other reporting entities involved in the same transaction. You will be informed of all co-relying parties before you consent.
Accredited reporting entities querying the Compliance NetworkReporting entities accredited to the Opefin Compliance Network may access your verified compliance record for genuine transactions in which you are involved, with notification to you as described in Part 5.
Open banking providerThe accredited open banking intermediary in your jurisdiction. They act under their own terms, which you accept as part of the consent process.
IDV Provider (biometric and liveness verification)Our appointed IDV Provider processes your facial image, liveness check, and identity document scan to verify your identity. The IDV Provider acts under their own privacy framework, which you accept as part of the consent flow. Opefin receives the verification outcome and may retain your raw biometric data.
Technology sub-processorsCompanies that help us operate our platform. These companies are contractually required to protect your data and may not use it for their own purposes.
Law enforcement and regulatorsWhere required by law or valid legal process. We will notify you before complying unless we are legally prevented from doing so.
A buyer of our businessIf Opefin is sold or merged, your data may transfer to the new owner. You will be notified and your rights will continue to apply.

Part 7

International data transfers

Opefin is a New Zealand company and processes data primarily in New Zealand and Australia. The Opefin Compliance Network is designed to facilitate cross-border compliance verification, which means your verified compliance record may be accessed by accredited reporting entities in other jurisdictions.

When we transfer your personal information outside your country, we take steps to ensure it receives protection consistent with applicable privacy law:

  • For transfers from the European Economic Area or the UK: we rely on adequacy decisions, standard contractual clauses, or other approved transfer mechanisms under the GDPR or UK GDPR.
  • For transfers from New Zealand: transfers outside New Zealand are made only to countries with comparable privacy protection, or under contractual arrangements requiring the recipient to protect the data to the standard of the Privacy Act 2020.
  • For transfers from Australia: we comply with the cross-border disclosure provisions of Australian Privacy Principle 8 under the Privacy Act 1988 (Cth).
  • For transfers from other jurisdictions: we comply with applicable local law, as specified in the jurisdiction-specific notice for your country.

Details of the specific transfer mechanisms we use are available on request from privacy@opefin.com.

Part 8

How long we keep your data

Data categoryHow long we keep itWhy
Opefin Source certificatesThe minimum period required by applicable AML/CTF law in your jurisdiction, as specified in the jurisdiction-specific notice. This is 5 years in New Zealand and 7 years in Australia.Statutory obligation under applicable AML/CTF law.
Compliance Network recordThe same period as the underlying certificate, being the applicable statutory retention period. After that period, the record is deleted within 30 days of your request or automatically within 30 days of expiry.Statutory obligation; Compliance Network operation.
Open banking transaction data (raw)Retained as part of the certificate for the statutory certificate retention period. Full raw bank data not incorporated into any certificate or Compliance Network record is deleted within 30 days of certificate generation.Statutory period for incorporated data; 30 days for non-incorporated data.
Derived and anonymised dataRetained indefinitely for product development, analytics, and model training purposes. Once data is genuinely anonymised, it is no longer personal information and is not subject to deletion rights. Data is treated as genuinely anonymised only where it has been irreversibly stripped of identifiers so that no individual can be re-identified, directly or indirectly, by Opefin or by a recipient using means reasonably likely to be available, assessed in line with guidance from the Office of the Privacy Commissioner (NZ) and the Office of the Australian Information Commissioner.Legitimate interests in product improvement and industry analytics.
Consent recordsThe statutory period applicable in your jurisdiction, as specified in the jurisdiction-specific notice.Applicable AML/CTF law and open banking regulations.
Certificate audit logThe statutory period applicable in your jurisdiction.Applicable AML/CTF law.
Account and profile informationDuration of your account, plus 2 years after closure.Legitimate interests in dispute resolution.
Communications3 years from the date of the communication.Legitimate interests in record-keeping.
Technical and usage data12 months from collection, unless retained longer for security investigation purposes.Legitimate interests in platform security.

Why we cannot always delete your data when you ask

AML/CTF law requires retention of source of funds records for a minimum statutory period, which varies by jurisdiction. If you ask us to delete your certificate or Compliance Network record during the statutory period, we may not be able to comply. We will always tell you if this applies. Once the statutory period has passed, we will delete the data within 30 days of your request. Derived and anonymised data is not subject to deletion rights because it is no longer personal information.

Part 9

Your rights

You have the following rights over your personal information. Which rights apply and how they work in practice depends on your location and applicable law. Your jurisdiction-specific notice sets out any variations.

RightWhat it means
Right to knowYou can ask us for a copy of the personal information we hold about you. We will provide it within 20 working days or the period required by local law, whichever is shorter.
Right to correctIf the information we hold is wrong, you can ask us to correct it. If the inaccurate data has been included in a certificate already delivered to a reporting entity, we will notify you and, where possible, notify that reporting entity.
Right to deleteYou can ask us to delete your personal information. We will do so unless we are legally required to keep it. Anonymised or derived data is not subject to deletion rights.
Right to remove from active Network queriesYou can request that your verified compliance record be removed from active queries in the Opefin Compliance Network at any time. This does not delete the underlying certificate, which must be retained for the statutory period.
Right to restrictYou can ask us to limit how we use your data in certain circumstances, for example while a correction request is being assessed.
Right to portabilityYou can ask us to provide your personal information in a reasonable format of our choice so you can transfer it to another provider. This right applies where processing is based on your consent or a contract.
Right to objectYou can object to us processing your data on the basis of legitimate interests. If you object, we will stop unless we can demonstrate compelling grounds that override your objection.
Right not to be discriminated againstWe will not treat you differently or provide a lower quality of service because you exercised a privacy right.
Right to withdraw consentWhere processing is based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to complainYou have the right to complain to the privacy regulator in your jurisdiction. The relevant authority is set out in the jurisdiction-specific notice for your country.

9.1 How to exercise your rights

Contact us at privacy@opefin.com. Include your full name, the email address associated with your Opefin account, and a description of the right you want to exercise. We may ask you to verify your identity before we process your request. We will acknowledge your request within 10 working days and respond within 20 working days or the period required by applicable law, whichever is shorter.

9.2 Complaints

If you are not satisfied with how we have handled your personal information, contact us first at complaints@opefin.com. We will respond within 20 working days. You also have the right to complain to the privacy regulator in your jurisdiction. The relevant authority is set out in the jurisdiction-specific notice for your country.

Part 10

Security

We take the security of your personal information seriously. The measures we apply include:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Multi-factor authentication for all staff access to production systems.
  • Role-based access controls limiting which staff can access which data.
  • Regular penetration testing and vulnerability assessments.
  • Cryptographic signing and hash-anchoring of certificates so any tampering is immediately detectable.
  • Staff training on data security and privacy obligations.

Full details of our technical and organisational security measures are set out in our Security Policy, available on request from privacy@opefin.com.

10.1 If something goes wrong

If we suffer a breach that affects your personal information and poses a real risk of harm to you, we will notify the relevant privacy regulator within 72 hours of becoming aware (where required by applicable law), notify you directly as soon as practicable, and explain what happened, what data was affected, and what we are doing about it (if such notification is allowed under law).

Part 11

Cookies and tracking

Cookie typeWhat it does
Strictly necessary cookiesRequired for the platform to function. They manage your session, keep you logged in, and remember your consent choices. You cannot opt out of these without also opting out of using the platform.
Analytics cookiesHelp us understand how people use the platform so we can improve it. We use anonymised data.
Security cookiesHelp us detect and prevent fraud and abuse. Essential to the integrity of the certificate process.
Preference cookiesRemember your settings such as language and notification preferences. Optional but improve your experience.

You can manage cookie preferences through your browser settings at any time. Blocking strictly necessary cookies will prevent you from using the Opefin platform.

Part 12

Children

Opefin Source is not intended for use by anyone under the age of 18 (or the age of majority in a particular jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a person under 18, we will delete it promptly. If you are a parent or guardian and believe your child has provided us with personal information, contact us at privacy@opefin.com.

Part 13

Changes to this policy

We may update this policy from time to time as our products develop, as we expand into new jurisdictions, or as the law changes. The current version is always available at opefin.com/legal/global-privacy-policy.

We will notify you of material changes by email at least 30 days before the change takes effect. For changes required by law or for security reasons, we may implement them immediately and notify you as soon as practicable. If you continue to use the Opefin platform after a change takes effect, you accept the updated policy.

Part 14

Jurisdiction-specific privacy notices

JurisdictionNotice nameWhere to find it
New ZealandNZ Privacy Noticeopefin.com/legal/nz-privacy-notice
AustraliaAU Privacy Noticeopefin.com/legal/au-privacy-notice

Part 15

Key terms used in this policy

TermMeaning
AML/CTF lawAnti-money laundering and countering the financing of terrorism legislation in the relevant jurisdiction.
CertificateA cryptographically signed compliance record generated by Opefin Source, summarising the results of activated modules including identity verification, source of funds analysis, EDD screening results, and risk rating.
Compliance Network recordA structured verified compliance record derived from a certificate and held in the Opefin Compliance Network.
ConsumerAn individual or business entity who connects their bank accounts via Opefin to generate a certificate.
ControllerThe entity that decides how and why personal information is processed. For consumer data, Opefin is the primary controller.
Customer due diligence (CDD)The process a reporting entity must follow under AML/CTF law to verify a client's identity and the source of their funds.
Opefin Compliance NetworkOpefin's regulated verification infrastructure through which accredited reporting entities can access verified compliance records.
Opefin SourceThe Opefin end-to-end AML/CTF compliance platform, covering identity verification, source of funds analysis, EDD screening, risk profiling, ongoing monitoring, SAR workflow, and the Compliance Network.
Open banking connectionA secure, consent-based connection to your bank account facilitated by an accredited open banking provider.
Reporting EntityA professional or business legally required by AML/CTF law to carry out customer due diligence on their clients.
Sub-processorA third party that Opefin engages to help deliver the Opefin Source service.

End of Global Privacy Policy | Baseline

Version 1.0 | Effective: 1 April 2026 | Opefin Limited (NZBN 9429053433008)