OpenBanq

Privacy Policy

Last updated: 2026-04-14 · Version 1.0 · © 2025 Open Finance Infrastructure Ltd.

1. Controller

Open Finance Infrastructure Ltd. ("we", "us", "our") is the data controller for personal data processed in connection with our website and marketing activities. Where we act as data processor on behalf of customers using our Services, the roles and responsibilities are set out in the Data Processing Agreement.

2. Contact

Data Protection Officer: [email protected]. Our EU representative for GDPR purposes is provided on request.

3. Personal data we collect

Visitors and prospective customers

  • Identifiers: name, business email, company, role, phone (optional).
  • Usage data: pages visited, IP address (anonymised within 7 days), user-agent.
  • Cookies: strictly-necessary only, plus analytics with explicit opt-in (see Cookie Policy).

Authenticated users / developers

  • Account data: name, email, hashed password, 2FA state, API key fingerprints.
  • Organisational metadata: tenant name, role, entitlements, billing contact.
  • Audit logs: API request metadata (who, what, when, request-id), not payload contents.

4. Legal bases (GDPR Art. 6)

  • Contract performance — to provide the Services you have subscribed to.
  • Legitimate interests — security monitoring, fraud prevention, product improvement.
  • Legal obligation — AML/CFT record keeping under 6AMLD, PSD2 Art. 95, DORA, tax law.
  • Consent — marketing communications, optional analytics cookies. Withdrawable at any time.

5. Retention

  • Account data: for the duration of your subscription, then 30-day deletion window, unless legal hold applies.
  • Audit logs: 7 years (AML/CFT retention requirements).
  • Financial records: 10 years (tax and regulatory requirements).
  • Marketing contact: until you unsubscribe or 3 years of inactivity.

6. Sharing

We share personal data only with: (a) sub-processors under written contract and equivalent data protection terms, (b) regulators and law enforcement where legally required, and (c) professional advisors (auditors, lawyers) under confidentiality obligations. A current sub-processor list is available at openbanqing.com/legal/subprocessors.

7. International transfers

Where personal data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (EU Commission Decision 2021/914) together with appropriate technical and organisational supplementary measures (encryption in transit and at rest, pseudonymisation where feasible, access controls).

8. Your rights (GDPR Art. 15–22)

You have rights of access, rectification, erasure, restriction of processing, data portability, and objection. For authenticated users, these are exercised via the admin console or by contacting the DPO. We respond within 30 days (extendable to 60 days for complex requests). You also have the right to lodge a complaint with your supervisory authority.

9. Security

We maintain an ISO 27001–certified ISMS, SOC 2 Type II controls, encryption in transit (TLS 1.3) and at rest (AES-256), penetration testing at least annually, and a 24×7 security operations capability. See Compliance for details.

10. Children

The Services are not intended for users under the age of 18 and we do not knowingly collect personal data from children.

11. Changes

We will post material changes on this page with a minimum 30-day notice. Continued use of the Services after the effective date constitutes acceptance of the revised policy.