Legal
New Zealand Privacy Notice
Jurisdiction-Specific Notice: Read alongside the Global Privacy Policy
Version 1.0 | Effective Date: 1 April 2026
Opefin Limited (NZBN: 9429053433008) | privacy@opefin.com
| Field | Detail |
|---|---|
| Document type | New Zealand Privacy Notice (Jurisdiction-Specific) |
| Applies to | Users in New Zealand / transactions subject to NZ law |
| Read alongside | Global Privacy Policy baseline |
| Version | 1.0 |
| Effective date | 1 April 2026 |
| Privacy contact | privacy@opefin.com |
How to read this notice
This notice supplements the Opefin Global Privacy Policy baseline. It does not replace it. Read both documents together. Where this notice says something different from the global baseline, this notice takes precedence for users in New Zealand.
This notice explains your rights and our obligations under the Privacy Act 2020 (NZ), the Customer and Product Data Act 2025 (NZ), and the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (NZ).
Part 1
The New Zealand legal framework
| Law | What it does |
|---|---|
| Privacy Act 2020 | The core privacy law in New Zealand. It sets out 12 Information Privacy Principles (IPPs) that govern how we collect, use, store, and disclose your personal information. The regulator is the Office of the Privacy Commissioner (OPC). |
| Customer and Product Data Act 2025 (CPD Act) | The open banking law in New Zealand. It governs how consumer data can be shared between banks and accredited third parties. Any open banking data sharing must be done with your informed consent, through an accredited data intermediary. Akahu Limited is the accredited data intermediary we use in New Zealand. |
| AML/CFT Act 2009 | The law that requires reporting entities (like lawyers, conveyancers, real estate agents, accountants and high value dealers, and others), to verify the source of their clients' funds and wealth. Under section 49, records must be retained for at least 5 years. |
Part 2
How Akahu fits in
2.1 What Akahu does
In New Zealand, we use Akahu Limited as our open banking intermediary. Akahu is accredited under the Customer and Product Data Act 2025. When you connect your bank account through Opefin Source, you create a connection via Akahu. Akahu acts as a secure intermediary between your bank and Opefin. When you give your consent, Akahu retrieves your bank account and transaction data on our behalf and delivers it to us securely.
2.2 Scope of Akahu access
We use Akahu’s enduring consent service for account information only. We retrieve account balances and transactions only. We do not initiate payments or transfers via Akahu, and we do not use Akahu Apply, Akahu Genie, or any other Akahu product. For most Opefin Source requests, the consent is used once to generate the certificate and then the connection is complete (although ongoing consent may also be required).
2.3 Akahu’s own terms
| Document | Where to find it |
|---|---|
| Akahu End User Terms | akahu.nz/terms |
| Akahu Privacy Policy | akahu.nz/privacy |
| Akahu support | support@akahu.nz |
Your Akahu connection is separate from your Opefin account
You can revoke it at any time through my.akahu.nz or through the Opefin platform. Revoking stops further data retrieval but does not delete a certificate already generated or information already received by the Opefin platform, which is subject to the 5-year AML/CFT Act retention period.
2.4 What happens when you revoke the Akahu connection
If a certificate has already been generated using your data, that certificate and the underlying data incorporated into it must be retained for 5 years from the certificate date under section 49 of the AML/CFT Act 2009. Revoking the Akahu connection does not shorten this obligation. Raw bank data retrieved via Akahu but not incorporated into any certificate is deleted within 30 days of revocation. Data incorporated into a certificate or Compliance Network record is retained for the statutory period.
2.5 CPD Act and disclosed purpose of open banking consent
The Customer and Product Data Act 2025 requires that open banking data be used only for the purpose disclosed at the time of consent. The purpose disclosed in your Opefin consent flow includes: verifying your identity and generating your AML/CTF compliance certificate; creating and maintaining your verified compliance record in the Opefin Compliance Network; EDD screening (PEP, sanctions, and adverse media screening) where that module is activated; enabling accredited reporting entities to query your record for future transactions with notification to you; and improving Opefin products using derived and anonymised data. Raw open banking data is not used for purposes outside this disclosed scope.
2.6 Obligation to notify Akahu of changes
As part of Opefin’s Akahu accreditation, Opefin is required to notify Akahu at hello@akahu.nz if we make any changes to this Privacy Notice that affect how we use data exchanged via the Akahu connection.
Part 3
Your rights under the Privacy Act 2020
The Privacy Act 2020 sets out 12 Information Privacy Principles (IPPs). The table below explains how Opefin meets each obligation in the Opefin Source and Compliance Network context.
| Principle | How Opefin meets it | Status |
|---|---|---|
| IPP 1 — Purpose of collection | We collect personal information for the following purposes: verifying your identity through biometric and document verification; generating an AML/CTF compliance certificate; EDD screening (PEP, sanctions, and adverse media) where that module is activated; creating and maintaining your verified compliance record in the Opefin Compliance Network; enabling accredited reporting entities to query that record for future transactions; improving Opefin products using derived and anonymised data; complying with legal obligations; and operating our platform securely. | Compliant |
| IPP 2 — Source of information | We collect information directly from you, from your bank via the Akahu open banking connection with your consent, from our appointed IDV Provider (for biometric and identity document verification), and from third-party verification services where disclosed at consent. Your facial image, liveness check result, and identity document scan are processed by our IDV Provider under the IDV Provider's own privacy framework. Opefin receives the verification outcome only and does not retain your raw biometric data. | Compliant |
| IPP 3 — Collection from the individual | When you start the consent process, we tell you who we are, why we are collecting your information, all purposes including Compliance Network use, who it will be disclosed to, and your rights. This is done through the Consumer Consent Disclosure Notice. | Compliant |
| IPP 4 — Manner of collection | We collect information in a way that is lawful, fair, and not unreasonably intrusive. The open banking connection is direct, secure, and consent-based. | Compliant |
| IPP 5 — Storage and security | We store your information with AES-256 encryption at rest and TLS 1.2+ encryption in transit. Access is restricted to authorised staff on a need-to-know basis. We conduct regular penetration testing. | Compliant |
| IPP 6 — Access | You have the right to ask us for a copy of the personal information we hold about you. We will respond within 20 working days. Contact privacy@opefin.com. | Compliant |
| IPP 7 — Correction | You have the right to ask us to correct inaccurate information. If the inaccuracy affects a certificate already issued, we will notify the reporting entity and issue a corrected certificate where appropriate. | Compliant |
| IPP 8 — Accuracy | Before using personal information, we take reasonable steps to ensure it is accurate, up to date, complete, and relevant. Open banking data is retrieved in real time from your bank. | Compliant |
| IPP 9 — Retention | We keep personal information for the purposes described and for the statutory periods set out in Section 4. Derived and anonymised data is retained for product development purposes and is no longer personal information once anonymised. | Compliant |
| IPP 10 — Use | We use your information for the purposes set out in IPP 1 above and in the Global Privacy Policy Part 4. We do not use it for credit assessment, affordability analysis, employment screening, insurance underwriting, or targeted advertising. | Compliant |
| IPP 11 — Limits on disclosure | We disclose your information only to: the requesting reporting entity; other reporting entities in the same transaction under the reliance model; accredited reporting entities querying your Compliance Network record for genuine transactions with notification; and sub-processors bound by data protection obligations. | Compliant |
| IPP 12 — Unique identifiers | We assign a unique Certificate ID to each certificate for operational purposes. We do not share or cross-reference this identifier with other agencies in a way not directly connected to the certificate or Compliance Network purpose. | Compliant |
Part 4
How long we keep your data in New Zealand
| Data category | Retention period | Why |
|---|---|---|
| Opefin Source certificates | 5 years from the certificate date. Required by section 49, AML/CFT Act 2009. | Statutory obligation. |
| Compliance Network record | 5 years from the certificate date. Deleted within 30 days of expiry or your removal request after the statutory period. | Statutory obligation; Compliance Network operation. |
| Open banking transaction data (incorporated) | Retained as part of the certificate and Compliance Network record for the 5-year period. | Statutory obligation. |
| Open banking transaction data (not incorporated) | Deleted within 30 days of certificate generation or Akahu connection revocation. | Privacy Act 2020 IPP 9. |
| Derived and anonymised data | Retained indefinitely for product development and analytics. Once anonymised, this data is no longer personal information. | Legitimate interests in product improvement. |
| Akahu consent records | 5 years from the consent event, consistent with the AML/CFT Act and CPD Act. | Statutory obligation. |
| Certificate audit log | 5 years from the certificate date. | AML/CFT Act. |
| Account and profile information | Duration of your account plus 2 years after closure. | Legitimate interests. |
Section 49, AML/CFT Act 2009
Section 49 requires reporting entities and their agents to retain transaction and account records for at least 5 years. Because Opefin Source acts as the technical infrastructure for the reporting entity’s CDD process, we are required to maintain the certificate record for this period. If you ask us to delete your certificate or Compliance Network record before the 5-year period has passed, we cannot comply. We will tell you this when you make the request and delete the data as soon as the period ends, within 30 days of expiry.
Part 5
The Opefin Compliance Network in New Zealand
The Opefin Compliance Network is a core feature of Opefin Source. It is not a secondary optional use. By accepting the Consumer Terms and this Privacy Notice, you agree to your certificate and associated verified data being part of the Network for the statutory retention period.
5.1 NZ legislative reliance and the Network
Section 33 of the AML/CFT Act allows a reporting entity to rely on another reporting entity’s CDD records under specified conditions. The Opefin Compliance Network supports and extends this model by enabling accredited reporting entities to access your verified compliance record for future transactions, with notification to you, without requiring you to repeat the full CDD process.
5.2 Notification for Network queries
When an accredited reporting entity queries your Network record, you will receive a notification. You do not need to give fresh consent for each query, but you are notified of each one. You may request removal from active Network queries at any time while acknowledging that the underlying certificate must be retained for the statutory period.
5.3 CPD Act and the Compliance Network
Access to your open banking data via Akahu is used to generate your certificate and Compliance Network record. The CPD Act requires that open banking data be used only for the purpose disclosed at consent. The disclosed purpose includes Compliance Network record creation and future re-query by accredited reporting entities. Raw open banking data is not shared through the Network; only the structured derived record is held and queried.
Part 6
Your rights in New Zealand
6.1 Access and correction requests
Under sections 44 and 71 of the Privacy Act 2020, you have the right to access the personal information we hold about you and to request correction of inaccurate information. Send your request to privacy@opefin.com. We will acknowledge within 5 working days and respond within 20 working days.
6.2 Complaints to Opefin
| Field | Detail |
|---|---|
| complaints@opefin.com | |
| What to include | Your name, a description of the concern, and any relevant dates or reference numbers. |
| Our response | Within 20 working days. |
6.3 Complaints to the Office of the Privacy Commissioner
| Contact | Detail |
|---|---|
| Website | privacy.org.nz |
| Online complaint form | privacy.org.nz/your-rights/make-a-complaint/ |
| Phone | 0800 803 909 (within NZ) |
| Address | PO Box 10094, The Terrace, Wellington 6143, New Zealand |
6.4 Complaints about your open banking connection (CPD Act)
| Body | What they handle |
|---|---|
| Ministry of Business, Innovation and Employment (MBIE) | For complaints about the CDR framework and accredited data intermediaries. |
| Commerce Commission | For complaints about anticompetitive or unfair behaviour in connection with open banking data. |
| Akahu directly | support@akahu.nz |
Part 7
NZ-specific disclosures
7.1 Reporting Entities in New Zealand
Reporting entities using Opefin Source in New Zealand are supervised by the Department of Internal Affairs (DIA). They must hold a current AML/CFT Programme and comply with the AML/CFT Act 2009, the AML/CFT (Requirements and Compliance) Regulations 2011, and related guidelines.
7.2 Government identity verification
Where the IDV Module is configured to use government-source identity confirmation, Opefin Source connects to the applicable government identity service in New Zealand. This check is performed through our IDV provider under its own privacy framework. We send a verification request and receive a name and verification outcome only. We incorporate the outcome into your certificate and do not retain raw verification data after certificate generation.
7.3 No FSPR registration required
Opefin Limited is a technology company. We are not a financial service provider and are not registered on the Financial Service Providers Register (FSPR).
7.4 Consumer Guarantees Act 1993 and Fair Trading Act 1986
If you are an individual consumer, certain parts of the Consumer Guarantees Act 1993 and the Fair Trading Act 1986 apply to your use of Opefin Source. These Acts give you guaranteed rights that cannot be excluded by contract. Nothing in our Consumer Terms, this notice, or any other Opefin document removes those rights.
Part 8
Contact details
| Contact | Details |
|---|---|
| Privacy Officer | Privacy Officer, Opefin Limited |
| privacy@opefin.com | |
| Complaints email | complaints@opefin.com |
| Website | opefin.com |
| Office of the Privacy Commissioner | privacy.org.nz | 0800 803 909 |
| Akahu Limited (open banking) | akahu.nz | support@akahu.nz |
| Department of Internal Affairs (AML/CTF) | dia.govt.nz |
| MBIE (CPD Act) | mbie.govt.nz |
End of New Zealand Privacy Notice
Version 1.0 | Effective: 1 April 2026 | Opefin Limited (NZBN 9429053433008)
