- What makes Threema secure?
- How does Threema compare to other messengers?
- What’s special about Threema’s privacy protection?
- Which data gets stored at Threema?
- Is Threema open source?
- Are messages stored in encrypted form on my device?
- Could you decrypt my messages, for example if you were required to by law enforcement?
- How do you protect yourself against man-in-the-middle (MITM) attacks with Threema?
- Where are the servers located?
- Will my address book data be sent to your servers?
- How does Threema audit its code?
- How and where is my key pair generated?
- Is the use of Threema compliant with privacy laws?
- How can I find out which data is stored about my ID on Threema’s server?
- What kind of data is transmitted via push notification services?
Which data gets stored at Threema?
Using Threema ought to generate as little data on servers as possible – this is part of the concept. For that reason, data like e.g. contacts or group chats are stored in a decentralized way on user devices, instead of on a Threema server. Our servers assume the role of a switch; messages and data get forwarded, but not permanently stored. Where there is no data, there is nothing to be accessed or misused. However: without some kind of (temporary) data storage, there cannot be any asynchronous communication. In the following we will explain what kind of data we store, how we store it and for how long.
- Messages and group chats: As soon as a message has been successfully delivered to the recipient, it is immediately deleted from the server. All messages and media are transmitted end-to-end encrypted in Threema. This means: even if someone intercepted your message, it would be completely useless. Only the intended recipient is able to decrypt and read a message.
- No contact lists are stored when synchronizing contacts: The email addresses and phone numbers from your address book get anonymized (hashed) before they reach the server. Once the comparison is finished, they are immediately deleted from the server.
- Key pairs are generated in a decentralized way on your device. Your private key is never known to us, and therefore we cannot decrypt any message contents.
- Threema doesn't log who is communicating with whom (which Threema IDs are communicating).
Further information: Cryptography Whitepaper.