Legal

Privacy Policy

How OpenDinar collects, uses, and protects personal data from developers and their end users.

Effective: 1 January 2026  ·  Last updated: 7 April 2026
This Privacy Policy applies to opendinar.com and the OpenDinar API service. It describes our practices as a data controller for developer account data, and as a data processor for end user financial data processed on behalf of developers using our API.

1. Who We Are

OpenDinar ("OpenDinar", "we", "us", "our") is an open banking infrastructure company operating in the Republic of Serbia. We provide APIs that allow developers to access financial data from Serbian banks on behalf of their users.

Legal entity: OpenDinar [Entity Type]
Registered address: [Address], Belgrade, Republic of Serbia
Contact: privacy@opendinar.com

2. Scope of This Policy

This Privacy Policy applies to:

  • Developers who create accounts on api.opendinar.com/dashboard, obtain API keys, and integrate with the OpenDinar API.
  • End users whose financial data is accessed through the OpenDinar API by applications built by developers.
  • Website visitors who browse opendinar.com.

If you are an end user of an application built on OpenDinar, you should also review the privacy policy of the application you are using, as the developer of that application is an independent data controller for their own data practices.

3. Data We Collect

3.1 Developer Account Data

When you register for an OpenDinar developer account, we collect:

  • Identity data: full name, email address, company name
  • Account credentials: hashed password (we never store plain-text passwords)
  • API usage data: API call logs, endpoint usage, error rates, timestamps
  • Billing data: for paid plans, billing contact details (payment card data is handled by our payment processor, not stored by us directly)
  • Communication data: emails and messages you send to us

3.2 End User Financial Data (via Developer API calls)

When an end user connects their bank account through a developer's application using our Link Widget, we process the following data only with the user's explicit consent and only for the data types the developer has requested access to:

  • Account data: account holder name, account type, IBAN, BIC, currency
  • Transaction data: transaction amounts, dates, merchant names, categories, pending status
  • Balance data: current and available balance snapshots
  • Identity data: full name, address, phone number, email address on file at the bank — only when the Identity API product is enabled by the developer

We do not collect or store end users' bank login credentials, PINs, or passwords. Authentication occurs directly between the user and their bank through our Link Widget.

3.3 Website and Technical Data

When you visit opendinar.com, we may collect standard technical data via server logs: IP address, browser type, pages visited, and referral source. This is used solely for security monitoring and service operation.

We process personal data under the following legal bases, in accordance with the Serbian Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti) and GDPR principles:

  • Contract performance: Processing developer account data is necessary to provide the API service you have signed up for.
  • Consent: End user financial data is processed only on the basis of the explicit consent given by the end user when they connect their bank account through the Link Widget. This consent can be withdrawn at any time.
  • Legitimate interests: Security monitoring, fraud prevention, and service improvement — where these interests are not overridden by your rights.
  • Legal obligation: Where we are required by law to retain or disclose data.

5. How We Use Data

We use the data we collect for the following purposes:

  • To provide the API service: fulfil API requests, connect to bank systems, return financial data to developers
  • To operate developer accounts: authenticate developers, manage API keys, enforce rate limits
  • To process payments: bill developers for paid plans (Growth and Enterprise)
  • To ensure security: detect and prevent fraud, abuse, and unauthorised access
  • To improve the service: analyse usage patterns to improve performance and features (aggregated, not individual-level)
  • To communicate: send service notifications, security alerts, and (with consent) product updates
  • To comply with legal obligations: respond to lawful requests from authorities

We do not sell personal data. We do not use end user financial data for advertising, profiling, or any purpose other than providing the API service to the developer who obtained the user's consent.

6. Who We Share Data With

We share personal data only in the following circumstances:

  • Serbian banks: To fulfil API requests, we transmit authorisation tokens to the relevant bank and receive financial data in return. Bank connections are established solely on the basis of user consent.
  • Cloud infrastructure provider (DigitalOcean): Our hosting provider processes data on servers within the EU. DigitalOcean is bound by a Data Processing Agreement.
  • Payment processor: For billing purposes only. Payment card data is processed by our payment processor and is not stored by OpenDinar.
  • Legal authorities: Where required by applicable law, court order, or to protect the rights and safety of OpenDinar or others.

We do not share personal data with any third parties for marketing, analytics, or advertising purposes.

7. International Data Transfers

OpenDinar is based in Serbia. Our primary infrastructure runs on DigitalOcean servers located within the European Union. When data is transferred to or stored within the EU, it is subject to EU data protection standards, which the European Commission has assessed as providing adequate protection.

If any future service provider processes data outside the EEA or Serbia, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses) before such transfers occur.

8. Data Retention

  • Developer account data: Retained for the duration of your account and for 90 days after account closure, after which it is permanently deleted.
  • API usage logs: Retained for 90 days for security and debugging purposes.
  • End user financial data: Retained for the duration of the active bank connection. When a connection is revoked by the user or deleted by the developer, associated financial data is queued for permanent deletion within 30 days.
  • Billing records: Retained for 7 years as required by Serbian tax and accounting law.
  • Security incident records: Retained as required to comply with notification and reporting obligations.

9. Your Rights

Under Serbian data protection law and GDPR principles, you have the following rights regarding your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate or incomplete data.
  • Right to erasure: You may request deletion of your personal data where we no longer have a lawful basis to retain it.
  • Right to data portability: You may receive your data in a structured, commonly used, machine-readable format.
  • Right to object: You may object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent (such as end user bank connections), you may withdraw that consent at any time by revoking the connection through the developer's application or by contacting us.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) in Serbia, or the supervisory authority in your country of residence.

To exercise any of these rights, contact us at privacy@opendinar.com. We will respond within 30 days.

10. Cookies

The opendinar.com marketing website uses minimal cookies:

  • Strictly necessary cookies: Session management for the developer dashboard (api.opendinar.com). These cannot be disabled as they are required for the service to function.
  • Preference cookies: Storing your cookie consent choice. Expires after 12 months.

We do not use advertising cookies, tracking pixels, or third-party analytics on the marketing website. We do not share cookie data with any third party.

You may manage cookie preferences using the banner displayed on your first visit to opendinar.com.

11. Children

The OpenDinar API service is intended for use by developers and businesses. Our services are not directed to individuals under the age of 18. If you believe we have inadvertently collected personal data from a minor, please contact us at privacy@opendinar.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered developers by email at least 14 days before the changes take effect
  • Display a notice on the OpenDinar dashboard

Your continued use of the OpenDinar API after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before the effective date.

13. Contact Us

For any questions, requests, or concerns about this Privacy Policy or how we handle your personal data, please contact:

OpenDinar — Data Privacy
Email: privacy@opendinar.com
Address: [Address], Belgrade, Republic of Serbia

We aim to respond to all privacy-related enquiries within 5 business days, and to complete data subject requests within 30 days.