Will my address book data be sent to your servers?
That is your decision – Threema can be used without any address book access. If you have disabled the synchronization in Threema, no address book data will be read. You will then have to manually add your Threema contacts (by typing in their IDs or scanning QR codes).
If you decide to use the synchronization, email addresses and phone numbers from your address book will only be transmitted to the server in one-way encrypted (“hashed”) form and additionally protected using TLS encryption. The servers only keep these hashes in volatile memory for a short time to determine the list of matching IDs, and then delete the hashes immediately. At no point are the hashes or the results of the synchronization written to disk.
Please note: due to the relatively low number of possible phone number combinations, it is theoretically possible to crack hashes of phone numbers by trying all possibilities. This is due to the nature of hashes and phone numbers and cannot be solved differently (using salts like for hashing passwords does not work for this kind of data matching). Therefore we treat phone number hashes with the same care as if they were raw/unhashed phone numbers.