Legal

New Zealand Privacy Notice

Jurisdiction-Specific Notice: Read alongside the Global Privacy Policy

Version 1.0  |  Effective Date: 1 April 2026

Opefin Limited (NZBN: 9429053433008)  |  privacy@opefin.com

FieldDetail
Document typeNew Zealand Privacy Notice (Jurisdiction-Specific)
Applies toUsers in New Zealand / transactions subject to NZ law
Read alongsideGlobal Privacy Policy baseline
Version1.0
Effective date1 April 2026
Privacy contactprivacy@opefin.com

How to read this notice

This notice supplements the Opefin Global Privacy Policy baseline. It does not replace it. Read both documents together. Where this notice says something different from the global baseline, this notice takes precedence for users in New Zealand.

This notice explains your rights and our obligations under the Privacy Act 2020 (NZ), the Customer and Product Data Act 2025 (NZ), and the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (NZ).

Part 1

The New Zealand legal framework

LawWhat it does
Privacy Act 2020The core privacy law in New Zealand. It sets out 12 Information Privacy Principles (IPPs) that govern how we collect, use, store, and disclose your personal information. The regulator is the Office of the Privacy Commissioner (OPC).
Customer and Product Data Act 2025 (CPD Act)The open banking law in New Zealand. It governs how consumer data can be shared between banks and accredited third parties. Any open banking data sharing must be done with your informed consent, through an accredited data intermediary. Akahu Limited is the accredited data intermediary we use in New Zealand.
AML/CFT Act 2009The law that requires reporting entities (like lawyers, conveyancers, real estate agents, accountants and high value dealers, and others), to verify the source of their clients' funds and wealth. Under section 49, records must be retained for at least 5 years.

Part 2

How Akahu fits in

2.1 What Akahu does

In New Zealand, we use Akahu Limited as our open banking intermediary. Akahu is accredited under the Customer and Product Data Act 2025. When you connect your bank account through Opefin Source, you create a connection via Akahu. Akahu acts as a secure intermediary between your bank and Opefin. When you give your consent, Akahu retrieves your bank account and transaction data on our behalf and delivers it to us securely.

2.2 Scope of Akahu access

We use Akahu’s enduring consent service for account information only. We retrieve account balances and transactions only. We do not initiate payments or transfers via Akahu, and we do not use Akahu Apply, Akahu Genie, or any other Akahu product. For most Opefin Source requests, the consent is used once to generate the certificate and then the connection is complete (although ongoing consent may also be required).

2.3 Akahu’s own terms

DocumentWhere to find it
Akahu End User Termsakahu.nz/terms
Akahu Privacy Policyakahu.nz/privacy
Akahu supportsupport@akahu.nz

Your Akahu connection is separate from your Opefin account

You can revoke it at any time through my.akahu.nz or through the Opefin platform. Revoking stops further data retrieval but does not delete a certificate already generated or information already received by the Opefin platform, which is subject to the 5-year AML/CFT Act retention period.

2.4 What happens when you revoke the Akahu connection

If a certificate has already been generated using your data, that certificate and the underlying data incorporated into it must be retained for 5 years from the certificate date under section 49 of the AML/CFT Act 2009. Revoking the Akahu connection does not shorten this obligation. Raw bank data retrieved via Akahu but not incorporated into any certificate is deleted within 30 days of revocation. Data incorporated into a certificate or Compliance Network record is retained for the statutory period.

2.5 CPD Act and disclosed purpose of open banking consent

The Customer and Product Data Act 2025 requires that open banking data be used only for the purpose disclosed at the time of consent. The purpose disclosed in your Opefin consent flow includes: verifying your identity and generating your AML/CTF compliance certificate; creating and maintaining your verified compliance record in the Opefin Compliance Network; EDD screening (PEP, sanctions, and adverse media screening) where that module is activated; enabling accredited reporting entities to query your record for future transactions with notification to you; and improving Opefin products using derived and anonymised data. Raw open banking data is not used for purposes outside this disclosed scope.

2.6 Obligation to notify Akahu of changes

As part of Opefin’s Akahu accreditation, Opefin is required to notify Akahu at hello@akahu.nz if we make any changes to this Privacy Notice that affect how we use data exchanged via the Akahu connection.

Part 3

Your rights under the Privacy Act 2020

The Privacy Act 2020 sets out 12 Information Privacy Principles (IPPs). The table below explains how Opefin meets each obligation in the Opefin Source and Compliance Network context.

PrincipleHow Opefin meets itStatus
IPP 1 — Purpose of collectionWe collect personal information for the following purposes: verifying your identity through biometric and document verification; generating an AML/CTF compliance certificate; EDD screening (PEP, sanctions, and adverse media) where that module is activated; creating and maintaining your verified compliance record in the Opefin Compliance Network; enabling accredited reporting entities to query that record for future transactions; improving Opefin products using derived and anonymised data; complying with legal obligations; and operating our platform securely.Compliant
IPP 2 — Source of informationWe collect information directly from you, from your bank via the Akahu open banking connection with your consent, from our appointed IDV Provider (for biometric and identity document verification), and from third-party verification services where disclosed at consent. Your facial image, liveness check result, and identity document scan are processed by our IDV Provider under the IDV Provider's own privacy framework. Opefin receives the verification outcome only and does not retain your raw biometric data.Compliant
IPP 3 — Collection from the individualWhen you start the consent process, we tell you who we are, why we are collecting your information, all purposes including Compliance Network use, who it will be disclosed to, and your rights. This is done through the Consumer Consent Disclosure Notice.Compliant
IPP 4 — Manner of collectionWe collect information in a way that is lawful, fair, and not unreasonably intrusive. The open banking connection is direct, secure, and consent-based.Compliant
IPP 5 — Storage and securityWe store your information with AES-256 encryption at rest and TLS 1.2+ encryption in transit. Access is restricted to authorised staff on a need-to-know basis. We conduct regular penetration testing.Compliant
IPP 6 — AccessYou have the right to ask us for a copy of the personal information we hold about you. We will respond within 20 working days. Contact privacy@opefin.com.Compliant
IPP 7 — CorrectionYou have the right to ask us to correct inaccurate information. If the inaccuracy affects a certificate already issued, we will notify the reporting entity and issue a corrected certificate where appropriate.Compliant
IPP 8 — AccuracyBefore using personal information, we take reasonable steps to ensure it is accurate, up to date, complete, and relevant. Open banking data is retrieved in real time from your bank.Compliant
IPP 9 — RetentionWe keep personal information for the purposes described and for the statutory periods set out in Section 4. Derived and anonymised data is retained for product development purposes and is no longer personal information once anonymised.Compliant
IPP 10 — UseWe use your information for the purposes set out in IPP 1 above and in the Global Privacy Policy Part 4. We do not use it for credit assessment, affordability analysis, employment screening, insurance underwriting, or targeted advertising.Compliant
IPP 11 — Limits on disclosureWe disclose your information only to: the requesting reporting entity; other reporting entities in the same transaction under the reliance model; accredited reporting entities querying your Compliance Network record for genuine transactions with notification; and sub-processors bound by data protection obligations.Compliant
IPP 12 — Unique identifiersWe assign a unique Certificate ID to each certificate for operational purposes. We do not share or cross-reference this identifier with other agencies in a way not directly connected to the certificate or Compliance Network purpose.Compliant

Part 4

How long we keep your data in New Zealand

Data categoryRetention periodWhy
Opefin Source certificates5 years from the certificate date. Required by section 49, AML/CFT Act 2009.Statutory obligation.
Compliance Network record5 years from the certificate date. Deleted within 30 days of expiry or your removal request after the statutory period.Statutory obligation; Compliance Network operation.
Open banking transaction data (incorporated)Retained as part of the certificate and Compliance Network record for the 5-year period.Statutory obligation.
Open banking transaction data (not incorporated)Deleted within 30 days of certificate generation or Akahu connection revocation.Privacy Act 2020 IPP 9.
Derived and anonymised dataRetained indefinitely for product development and analytics. Once anonymised, this data is no longer personal information.Legitimate interests in product improvement.
Akahu consent records5 years from the consent event, consistent with the AML/CFT Act and CPD Act.Statutory obligation.
Certificate audit log5 years from the certificate date.AML/CFT Act.
Account and profile informationDuration of your account plus 2 years after closure.Legitimate interests.

Section 49, AML/CFT Act 2009

Section 49 requires reporting entities and their agents to retain transaction and account records for at least 5 years. Because Opefin Source acts as the technical infrastructure for the reporting entity’s CDD process, we are required to maintain the certificate record for this period. If you ask us to delete your certificate or Compliance Network record before the 5-year period has passed, we cannot comply. We will tell you this when you make the request and delete the data as soon as the period ends, within 30 days of expiry.

Part 5

The Opefin Compliance Network in New Zealand

The Opefin Compliance Network is a core feature of Opefin Source. It is not a secondary optional use. By accepting the Consumer Terms and this Privacy Notice, you agree to your certificate and associated verified data being part of the Network for the statutory retention period.

5.1 NZ legislative reliance and the Network

Section 33 of the AML/CFT Act allows a reporting entity to rely on another reporting entity’s CDD records under specified conditions. The Opefin Compliance Network supports and extends this model by enabling accredited reporting entities to access your verified compliance record for future transactions, with notification to you, without requiring you to repeat the full CDD process.

5.2 Notification for Network queries

When an accredited reporting entity queries your Network record, you will receive a notification. You do not need to give fresh consent for each query, but you are notified of each one. You may request removal from active Network queries at any time while acknowledging that the underlying certificate must be retained for the statutory period.

5.3 CPD Act and the Compliance Network

Access to your open banking data via Akahu is used to generate your certificate and Compliance Network record. The CPD Act requires that open banking data be used only for the purpose disclosed at consent. The disclosed purpose includes Compliance Network record creation and future re-query by accredited reporting entities. Raw open banking data is not shared through the Network; only the structured derived record is held and queried.

Part 6

Your rights in New Zealand

6.1 Access and correction requests

Under sections 44 and 71 of the Privacy Act 2020, you have the right to access the personal information we hold about you and to request correction of inaccurate information. Send your request to privacy@opefin.com. We will acknowledge within 5 working days and respond within 20 working days.

6.2 Complaints to Opefin

FieldDetail
Emailcomplaints@opefin.com
What to includeYour name, a description of the concern, and any relevant dates or reference numbers.
Our responseWithin 20 working days.

6.3 Complaints to the Office of the Privacy Commissioner

ContactDetail
Websiteprivacy.org.nz
Online complaint formprivacy.org.nz/your-rights/make-a-complaint/
Phone0800 803 909 (within NZ)
AddressPO Box 10094, The Terrace, Wellington 6143, New Zealand

6.4 Complaints about your open banking connection (CPD Act)

BodyWhat they handle
Ministry of Business, Innovation and Employment (MBIE)For complaints about the CDR framework and accredited data intermediaries.
Commerce CommissionFor complaints about anticompetitive or unfair behaviour in connection with open banking data.
Akahu directlysupport@akahu.nz

Part 7

NZ-specific disclosures

7.1 Reporting Entities in New Zealand

Reporting entities using Opefin Source in New Zealand are supervised by the Department of Internal Affairs (DIA). They must hold a current AML/CFT Programme and comply with the AML/CFT Act 2009, the AML/CFT (Requirements and Compliance) Regulations 2011, and related guidelines.

7.2 Government identity verification

Where the IDV Module is configured to use government-source identity confirmation, Opefin Source connects to the applicable government identity service in New Zealand. This check is performed through our IDV provider under its own privacy framework. We send a verification request and receive a name and verification outcome only. We incorporate the outcome into your certificate and do not retain raw verification data after certificate generation.

7.3 No FSPR registration required

Opefin Limited is a technology company. We are not a financial service provider and are not registered on the Financial Service Providers Register (FSPR).

7.4 Consumer Guarantees Act 1993 and Fair Trading Act 1986

If you are an individual consumer, certain parts of the Consumer Guarantees Act 1993 and the Fair Trading Act 1986 apply to your use of Opefin Source. These Acts give you guaranteed rights that cannot be excluded by contract. Nothing in our Consumer Terms, this notice, or any other Opefin document removes those rights.

Part 8

Contact details

ContactDetails
Privacy OfficerPrivacy Officer, Opefin Limited
Emailprivacy@opefin.com
Complaints emailcomplaints@opefin.com
Websiteopefin.com
Office of the Privacy Commissionerprivacy.org.nz | 0800 803 909
Akahu Limited (open banking)akahu.nz | support@akahu.nz
Department of Internal Affairs (AML/CTF)dia.govt.nz
MBIE (CPD Act)mbie.govt.nz

End of New Zealand Privacy Notice

Version 1.0 | Effective: 1 April 2026 | Opefin Limited (NZBN 9429053433008)