Opefin Source

New Zealand Specific Additional Consumer Terms

Consumer version — jurisdiction-specific requirements for individuals using Opefin Source in Aotearoa New Zealand

Version 1.0  |  Effective Date: 1 April 2026  |  Supplements the Global General Terms and applicable Product Terms

Opefin Limited (NZBN: 9429053433008)  |  hello@opefin.com

How this Addendum works

This New Zealand Specific Additional Consumer Terms (“NZ Addendum”) applies to all Opefin users who are located in New Zealand or who use Opefin services in connection with transactions or activities governed by New Zealand law. It supplements the Global General Terms (GGT) as well as the Global Consumer Terms for Opefin. Where this NZ Addendum conflicts with the GGT on a matter governed by New Zealand law, this NZ Addendum takes precedence. All defined terms from the GGT and Global Consumer Terms apply here unless a different meaning is given.

Part 1

Contracting entity

1. Contracting Entity for New Zealand

FieldDetail
Legal nameOpefin Limited
Company number9403953
NZBN9429053433008
Primary contactlegal@opefin.com
Privacy Officerprivacy@opefin.com

Part 2

Governing law and dispute resolution

2. Governing Law

These terms, and any agreement between you and Opefin in relation to the Service, are governed by the laws of New Zealand. Nothing in this NZ Addendum, Global Consumer Terms, or the GGT limits or removes rights you have under mandatory New Zealand laws that cannot be excluded by contract, including the Consumer Guarantees Act 1993, the Fair Trading Act 1986, the Privacy Act 2020, the Customer and Product Data Act 2025, and the Contract and Commercial Law Act 2017.

3. Courts

Any dispute not resolved through the processes in the GGT, Global Consumer Terms, or these terms, may be brought before the courts of New Zealand, which have non-exclusive jurisdiction. Consumer Users retain the right to bring proceedings in a New Zealand court regardless of any other provision.

4. Dispute Resolution Schemes

4.1 Financial Services Complaints Limited

Opefin will become a member of Financial Services Complaints Limited (FSCL), an approved dispute resolution scheme under the Financial Service Providers (Registration and Dispute Resolution) Act 2008. If you have a complaint that we have not resolved to your satisfaction through our internal complaints process, you may escalate it to FSCL.

FieldDetail
Scheme nameFinancial Services Complaints Limited (FSCL)
Websitewww.fscl.org.nz
Phone (freephone in NZ)0800 347 257
Emailinfo@fscl.org.nz
Cost to youFree of charge
EligibilityConsumers and small businesses (annual turnover under NZD 2 million and fewer than 20 employees)
ConditionYou must first complete Opefin's internal complaints process before FSCL will accept your complaint

4.2 Privacy Complaints

BodyDetail
Office of the Privacy Commissionerwww.privacy.org.nz | 0800 803 909
Online complaintwww.privacy.org.nz/your-rights/making-a-complaint

4.3 Disputes Tribunal and Courts

Consumer Users may bring small claims (up to NZD 30,000) to the Disputes Tribunal without legal representation. Claims above NZD 30,000 are subject to the District Court, High Court, or the dispute resolution process outlined in the applicable terms.

Part 3

Privacy Act 2020

5. Privacy Act 2020 Compliance

5.1 Application

The Privacy Act 2020 applies to Opefin’s collection, use, storage, and disclosure of personal information about individuals in New Zealand. Opefin is the primary controller of Consumer Data collected through the Opefin Source consent process. The definition of Personal Data in the GGT encompasses personal information as defined in the Privacy Act.

5.2 Information Privacy Principles

PrincipleHow Opefin meets itStatus
IPP 1 — PurposePersonal information is collected for the specified purposes described in Part 4 of the Global Privacy Policy and clause 3 of the DPA: certificate generation, Compliance Network operation, product development using anonymised data, legal compliance, and platform security.Compliant
IPP 2 — SourcePersonal information is collected directly from the Consumer via Opefin's consent process and from their bank via the CDR connection with their consent. Where a Reporting Entity submits documents on a Consumer's behalf, the Consumer must have accepted Opefin's terms before submission is processed.Compliant
IPP 3 — Collection NoticeIndividuals are informed before collection of: what is collected, the full purpose including Compliance Network use, who will receive it, and their rights. The Consumer Consent Disclosure Notice satisfies IPP 3 for Opefin Source.Compliant
IPP 4 — Collection MannerInformation is collected fairly and not by unlawful means. The open banking authentication flow meets this standard. Consent cannot be coerced.Compliant
IPP 5 — Storage and SecurityReasonable security safeguards protect personal information. Technical and organisational measures are described in Schedule 2 of the DPA.Compliant
IPP 6 — AccessIndividuals may request access to personal information Opefin holds about them. Requests are processed within 20 working days. Contact privacy@opefin.com.Compliant
IPP 7 — CorrectionIndividuals may request correction of inaccurate personal information. Where information originates from a bank via CDR, corrections must first be made with the bank.Compliant
IPP 8 — AccuracyReasonable steps are taken to ensure accuracy. CDR data is treated as accurate at the point of retrieval.Compliant
IPP 9 — RetentionPersonal information is retained only as long as necessary for the purposes described and the statutory periods in Section 7 of this NZ Addendum. Raw transaction data not incorporated into a Certificate or Compliance Network Record is deleted within 30 days. Anonymised derived data is retained indefinitely for product development and is no longer personal information.Compliant
IPP 10 — Use LimitationPersonal information is used for the purposes described in Part 4 of the Global Privacy Policy and clause 3 of the DPA, including certificate generation, Compliance Network operation, and product improvement using anonymised data. It is not used for credit assessment, affordability analysis, employment screening, insurance underwriting, or targeted advertising.Compliant
IPP 11 — Disclosure LimitationPersonal information is disclosed only to: the requesting Reporting Entity (as Certificate); other Reporting Entities in the same transaction under the reliance model (with consent); accredited Reporting Entities querying the Compliance Network for genuine future transactions (with Consumer notification); and sub-processors bound by data protection obligations. Personal information is not sold.Compliant
IPP 12 — Unique IdentifiersCertificate IDs are internal reference numbers only, not assigned as unique identifiers to individuals across agencies.Compliant

5.3 Notifiable Privacy Breaches

Where Opefin experiences a privacy breach that is likely to cause serious harm to affected individuals, if allowed under law, Opefin will notify both the affected individuals and the Office of the Privacy Commissioner as required under Part 7 of the Privacy Act 2020. Opefin will notify the Reporting Entity within 72 hours of becoming aware of a breach involving Consumer Data related to their certificates. The Reporting Entity is responsible for assessing its own notification obligations in relation to the Certificate data it holds.

Part 4

Customer and Product Data Act 2025

6. CDR Framework in New Zealand

6.1 The Regulatory Framework

The Customer and Product Data Act 2025 (CDR Act) and the Customer and Product Data (Banking and Other Deposit-Taking) Regulations 2025 establish New Zealand’s consumer data right regime. The CDR Act came into force for designated banking products in December 2025.

6.2 Akahu as Open Banking Provider

In New Zealand, Opefin accesses Consumer banking data through Akahu Limited (NZBN: 9429050222383), which holds intermediary accredited requestor status under the CDR Act. Consumers authenticate directly with their bank; the bank sends data to Akahu under the CDR framework; Akahu passes that data to Opefin. For identity verification, Opefin uses appointed IDV Providers for biometric capture, liveness detection, document verification, and government-source identity confirmation. IDV Providers process biometric data under their own privacy frameworks and data processing agreements with Opefin. The current IDV Providers for New Zealand are identified in the applicable Product Schedule and may be updated by Opefin on at least 30 days’ written notice to the Reporting Entity. Opefin is pursuing direct CDR accreditation from MBIE. When direct accreditation is obtained, this NZ Addendum will be updated.

6.3 Designated Banks

The following New Zealand banks are currently designated under the CDR Regulations: ANZ Bank New Zealand, ASB Bank, Bank of New Zealand (BNZ), Westpac New Zealand, and Kiwibank (designation takes effect end of 2026). Accounts at non-designated financial institutions may not be accessible through the CDR connection at this time.

6.4 Consumer CDR Rights in New Zealand

Under the CDR Act, New Zealand users have the following rights:

  • The right to authorise and revoke data sharing with any accredited requestor at any time through their bank’s CDR consent management interface.
  • The right to know which entities have requested access to their data and for what purpose.
  • The right to complain to MBIE about breaches of the CDR Act: www.mbie.govt.nz
  • The right to verify Akahu’s CDR accreditation status on the MBIE Register of Participants.

6.5 Disclosed purpose of open banking consent

The CDR Act requires that open banking data be used only for the purpose disclosed at consent. The purpose disclosed in Opefin’s consent flow includes: verifying your identity and generating your AML/CTF compliance certificate; creating and maintaining your Compliance Network Record; enabling accredited Reporting Entities to query your record for future transactions with notification to you; EDD screening where the EDD Module is activated; and improving Opefin products using derived and anonymised data. Raw open banking data is not used for purposes outside this disclosed scope.

Part 5

New Zealand consumer rights

7. Privacy Rights for New Zealand Users

7.1 Right to Access

You may request access to the personal information Opefin holds about you under section 44 of the Privacy Act 2020 by contacting privacy@opefin.com. Opefin will respond within 20 working days. Opefin may extend this by a further 20 working days in complex cases by notifying you within the initial 20-day period.

7.2 Right to Correction

You may request correction of personal information under section 55 of the Privacy Act 2020 by contacting privacy@opefin.com. Where Opefin declines to make a correction, you may request that a notation be attached to the information.

7.3 Right to remove from Compliance Network queries

You may request removal of your Compliance Network Record from active queries at any time by contacting privacy@opefin.com. This means no future Reporting Entity can query your record going forward. The underlying Certificate must still be retained for the 5-year statutory period.

7.4 Human Rights Review Tribunal

If the OPC investigates your complaint and does not resolve it, the matter may be referred to the Human Rights Review Tribunal, which has the power to award remedies including damages.

8. Consumer Guarantees Act 1993

Certain parts of the Consumer Guarantees Act 1993 (CGA) apply to services supplied to Consumer Users in trade in New Zealand. When you use Opefin services as a consumer (as defined in the CGA), you have guaranteed rights including that the service will be carried out with reasonable care and skill, will be fit for purpose, and will be completed within a reasonable time. These guarantees cannot be excluded, restricted, or modified in a contract with a Consumer User.

9. Fair Trading Act 1986

The Fair Trading Act 1986 prohibits misleading and deceptive conduct in trade and incorporates Unfair Contract Terms provisions (Part 2A) which apply to consumer contracts and small trade contracts. Opefin does not rely on any term it considers potentially unfair under this standard.

Part 6

Data handling in New Zealand

10. Retention Periods in New Zealand

Data categoryRetention periodLegal basis
Opefin Source certificates5 years from generation date. Mirrors the Reporting Entity's obligation under section 60, AML/CFT Act 2009.AML/CFT Act statutory obligation.
Compliance Network Record5 years from the certificate date. Deleted within 30 days of expiry or valid removal request after expiry.Statutory obligation; Compliance Network operation.
Raw transaction data (incorporated into Certificate or Network Record)Retained as part of Certificate and Compliance Network Record for the 5-year period.Statutory obligation.
Raw transaction data (not incorporated)Deleted within 30 days of certificate generation or CDR connection revocation.Privacy Act 2020 IPP 9.
CDR consent records5 years from date of consent.CDR Act 2025 and AML/CFT Act.
Certificate verification hashIndefinite. Contains no personal information.Technical integrity record.
Derived and anonymised dataIndefinite. Once genuinely anonymised, no longer personal information.Legitimate interests in product development and analytics.
Technical logs12 months.Security monitoring and incident response.

11. Cross-Border Transfers from New Zealand

Where Opefin transfers personal information about New Zealand individuals to a third country, Opefin will ensure the recipient country has comparable protections under section 212(b) of the Privacy Act 2020, the transfer is authorised under section 212, or appropriate contractual safeguards are in place. Opefin’s primary infrastructure is located in New Zealand and Australia. Cloud infrastructure providers in Australia and the United States are bound by data processing agreements containing standard contractual clauses.

12. Government and Regulatory Requests

Where Opefin receives a request from a New Zealand regulatory authority, law enforcement agency, or court for personal information or records, Opefin will assess its legal basis, respond in accordance with its legal obligations, notify the affected Consumer User where lawfully permitted before complying, and provide only the minimum information necessary to satisfy the lawful request.

Part 7

Opefin Source in New Zealand

13. Opefin Source in New Zealand

13.1 Compliance Network in New Zealand

The Opefin Compliance Network is a current core feature of Opefin Source, not a future product. When a Consumer’s certificate is generated, a Compliance Network Record is created. Accredited Reporting Entities involved in future transactions with that Consumer may query the Network with Consumer notification. This supports the reliance model under section 33 of the AML/CFT Act and eliminates repeated verification friction for Consumers across transactions.

13.2 Certificate Legal Standing

An Opefin Source certificate is designed to constitute a CDD record for the source of funds/wealth component under section 60 of the AML/CFT Act. Opefin is not a legal adviser and cannot confirm that any specific certificate will be accepted by the DIA as sufficient CDD evidence in a specific case. Reporting Entities should ensure their use of Opefin Source is consistent with DIA sector guidance and their own legal advice.

13.3 Government Identity Verification

Where the IDV Module is configured to use a government-source identity confirmation service, Opefin Source connects to the applicable service in New Zealand. This government-source or database identity check is performed through Opefin’s IDV provider under its own privacy framework. The Consumer’s consent to the government identity check is captured in the Consumer Consent Disclosure Notice. The specific government identity confirmation service used is identified in the applicable Product Schedule.

14. Complaints About Opefin Source

Complaints about Opefin Source in New Zealand should follow the process in the Opefin Complaints Policy, by emailing complaints@opefin.com. The applicable external dispute resolution scheme will be FSCL (clause 4.1). Privacy complaints may be directed to the OPC (clause 4.2). CDR complaints may be directed to MBIE (clause 6.4).

Part 8

Key New Zealand contacts

ContactDetails
Opefin Privacy Officer (NZ)privacy@opefin.com
Opefin Complaintscomplaints@opefin.com
Office of the Privacy Commissionerwww.privacy.org.nz | 0800 803 909
Financial Services Complaints Ltd (FSCL)www.fscl.org.nz | 0800 347 257
Department of Internal Affairs (DIA AML/CTF)www.dia.govt.nz/aml
MBIE (CDR / consumer protection)www.mbie.govt.nz | www.consumerprotection.govt.nz
NZ Police FIU (SAR filing)www.police.govt.nz/advice/businesses-and-organisations/financial-intelligence
Disputes Tribunalwww.disputestribunal.govt.nz

End of New Zealand Specific Additional Consumer Terms | Version 1.0 | Opefin Limited

Supplements the Global General Terms and applicable Product Terms