Privacy Policy

1. General

The “Threema Website” (https://threema.ch/) serves the public presentation of Threema GmbH (hereinafter “Threema”) and its products towards consumers and business customers (hereinafter “Visitors”).

Threema’s focus lies on data protection and privacy, which is why we provide interested Visitors to the Threema Website with the information for transparent processing of their personal data in this Privacy Policy.

A. Scope of Application

This Privacy Policy applies to all data processing activities that take place while visiting and interacting with the Threema Website and are related to personal data, namely:

A. Calling Up the Threema Website;
B. Support Forms;
C. Feedback Forms;
D. Prize Draws;
E. Business Contact Forms;
F. Webinars;
G. Further Processing of Personal Data for Consultations (Business Customers Only);
H. Newsletters;
I. Press Releases;
J. Misuse Protection (hCaptcha);
K. Affiliate Links (Cookies).

Threema as the data controller is a limited liability company under Swiss law with its registered office in Pfäffikon SZ (municipality of Freienbach), Switzerland, and business identification number (hereinafter “UID”) CHE-221.440.104.

When a Visitor visits and interacts with the Threema Website, personal data is, unless otherwise stated in this Privacy Policy, processed and, if necessary, stored exclusively on Threema’s own servers in two data centers of an “ISO 27001”-certified colocation partner located in Zurich, Switzerland (hereinafter “Threema Servers”).

As a company with its registered office in Switzerland, Threema and the data processing it carries out are subject to Swiss data protection law (Federal Act on Data Protection of September 25, 2020, SR 235.1; hereinafter “FADP”). For data subjects residing in the territory of the EU or the EEA (marked with “for EU/EEA”), European data protection law (Regulation (EU) 2016/679 of April 27, 2016, General Data Protection Regulation; hereinafter “GDPR”) may additionally apply.

Personal data pursuant to Art. 5 lit. a FADP [for EU/EEA: Art. 4 No. 1 GDPR] is information that relates to an identified or identifiable natural person.

B. Controller

Threema GmbH
Churerstrasse 82
8808 Pfäffikon SZ
Switzerland

UID: CHE-221.440.104

C. Data Protection Officer

Threema GmbH
Data Protection Officer
Churerstrasse 82
8808 Pfäffikon SZ
Switzerland

Email: privacy at threema dot ch

D. Representative in the EU (Art. 27 GDPR)

ACC Datenschutz UG
Messestrasse 6
94036 Passau
Germany

E. Swiss Supervisory Authority

Federal Data Protection and Information Commissioner (FDPIC)
Feldweg 1
3003 Bern
Switzerland

Telephone: +41 58 462 43 95
Contact form of the FDPIC: Link

2. Processing Activities

Depending on the interaction when the Visitor visits the Threema Website, Threema processes different categories of personal data about the Visitor for different purposes, based on different legal bases and with different storage periods, if any personal data is stored at all.

A. Calling Up the Threema Website

Processing

When the Threema Website is called up, information, including personal data, is automatically sent to the Threema Servers by the browser on the Visitor’s device, processed, and stored in a log file.

After processing the full IP address, normally only the first two digits of a Visitor’s IP address are stored in the log file, unless an error occurred when calling up the Threema Website. In case of an error, the full IP address is stored in the log file.

Categories of Processed Personal Data

When calling up the Threema Website, the following personal data is processed on the Threema Servers and stored in a log file:

  • IP address of the Visitor.

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Delivery of the Threema Website in the Visitor’s browser;
  • Information security.

Legal Basis

The processing and storage of IP addresses is technically necessary and based on the overriding private interest (delivery of the Threema Website to the Visitor; information security) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

The processing of the IP address is technically necessary to deliver the Threema Website in the Visitor’s browser, and to be able to analyze potential technical errors for information security purposes.

Storage Period

The log file with the Visitor’s IP address created when the Threema Website is called up is stored on the Threema Servers for 10 days, counting from the creation date of the log file, and then automatically deleted.

B. Support Forms

Processing

Visitors to the Threema Website may submit support requests for the “Threema App” for consumers to the Threema staff via a corresponding form (hereinafter “Support Form”).

Categories of Processed Personal Data

When submitting a Support Form, the following personal data is processed and stored on the Threema Servers

  • Email address.

To protect the Threema Website from misuse, Threema uses a captcha from the hCaptcha service (see Section 2.J.).

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Recording, processing, and answering of support requests.

Legal Basis

When submitting Support Forms, the processing of the Visitor’s personal data only takes place if the Visitor has given Threema their voluntary consent for the processing of this personal data; Art. 31 Sec. 1 FADP [for EU/EEA: Art. 6 Sec. 1 lit. a GDPR].

Storage Period

The email address provided by the Visitor when submitting Support Forms is stored on the Threema Servers for 6 months and then automatically deleted. If the Visitor submits another Support Form with the same email address before the deletion period expires, the 6-month deletion period is reset and starts anew.

C. Feedback Forms

Processing

Visitors to the Threema Website may submit feedbacks to Threema via a corresponding form (hereinafter “Feedback Form”).

Categories of Processed Personal Data

When submitting a Feedback Form, the following personal data is processed and stored on the Threema Servers:

  • First name (optional).

To protect the Threema Website from misuse, Threema uses a captcha from the hCaptcha service (see Section 2.J.).

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Recording, processing, and answering of feedback.

Legal Basis

When submitting Feedback Forms, the processing of the Visitor’s personal data only takes place if the Visitor has given Threema their voluntary consent for the processing of this personal data; Art. 31 Sec. 1 FADP [for EU/EEA: Art. 6 Sec. 1 lit. a GDPR].

Storage Period

The first name provided by the Visitor when submitting Feedback Forms is stored on the Threema Servers for 6 months and then automatically deleted. If the Visitor reacts to their Feedback Form via the Threema App before the deletion period expires, the 6-month deletion period is reset and starts anew.

D. Prize Draws

Processing

From time to time, Threema carries out prize draws, for which Visitors may register via a corresponding form on the Threema Website.

Visitors may voluntarily subscribe to Threema’s newsletter when registering for a prize draw (see Section 2.H.)

Categories of Processed Personal Data

When registering for a prize draw, the following personal data is processed and stored on the Threema Servers:

  • First name;
  • Last name;
  • Company;
  • Email address;
  • Telephone number.

To protect the Threema Website from misuse, Threema uses a captcha from the hCaptcha service (see Section 2.J.).

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Carrying-out of prize draws;
  • Marketing.

Legal Basis

In the context of a prize draw registration, the processing of the Visitor’s personal data only takes place if the Visitor has given Threema their voluntary consent for the processing of this personal data; Art. 31 Sec. 1 FADP [for EU/EEA: Art. 6 Sec. 1 lit. a GDPR].

Storage Period

The personal data provided by the Visitor in the context of a prize draw registration is stored on the Threema Servers for the duration of the prize draw and beyond for a maximum of 1 month and then deleted. If the prize draw is aimed at business customers, the personal data provided by the Visitor will be further processed for the purpose of initiating or conducting consultations (see Section 2.G.).

The personal data of prize draw winners will be further processed in the context of the awarding of the prizes.

If the Visitor also subscribes to Threema’s newsletter when registering for a prize draw, their email address will be (further) processed until revocation, irrespective of the deletion period of the prize draw (see Section 2.H.).

E. Business Contact Forms

Processing

The Threema Website offers Visitors, primarily business customers, “Business Contact Forms” on various topics:

  • Product consultations;
  • Business inquiries;
  • Appointments;
  • Requests for gated content (whitepapers, video recordings, etc.).

Visitors may voluntarily subscribe to Threema’s newsletter when submitting Business Contact Forms (see Section 2.H.)

Categories of Processed Personal Data

When submitting a Business Contact Form, the following personal data is processed and stored on the Threema Servers (this may vary depending on the form, and some information may be optional):

  • First name;
  • Last name;
  • Company;
  • Country;
  • Email address;
  • Telephone number;
  • Customer status.

To protect the Threema Website from misuse, Threema uses a captcha from the hCaptcha service (see Section 2.J.).

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Recording, processing, and answering business inquiries;
  • Marketing.

Legal Basis

When submitting Business Contact Forms, the processing of the Visitor’s personal data only takes place if the Visitor has given Threema their voluntary consent for the processing of this personal data; Art. 31 Sec. 1 FADP [for EU/EEA: Art. 6 Sec. 1 lit. a GDPR].

Storage Period

The personal data provided by the Visitor when submitting Business Contact Forms is stored on the Threema Servers for 6 months and then automatically deleted. If the Visitor submits another Business Contact Form with the same email address before the deletion period expires, the 6-month deletion period is reset and starts anew.

If consultations are initiated or conducted with the Visitor as a business customer in addition to answering their inquiry, the personal data provided by them will be further processed (see Section 2.G.).

If the Visitor also subscribes to Threema’s newsletter when submitting a Business Contact Form, their email address will be (further) processed until revocation, irrespective of the 6-month deletion period (see Section 2.B.).

F. Webinars

Processing

The Threema Website offers Visitors, primarily business customers, the opportunity to register for webinars.

The information provided in the corresponding form, including personal data, is not only processed on the Threema Servers, but it is also disclosed to the “Livestorm” service of Livestorm SAS, 60, rue François 1er, 75008 Paris, France (hereinafter “Livestorm SAS”). Livestorm SAS is “ISO 27001”-certified and hosts its Livestorm service in Ireland. Visitors can find more information on data protection at Livestorm SAS under this external link.

France and Ireland are members of the European Union and fall within the scope of application of the GDPR and is included in the list of states under Annex 1 to the Ordinance on Data Protection of August 31, 2022 (“DPO”; SR 235.11); therefore, its legislation does ensure adequate data protection; Art. 16 Sec. 1 FADP in connection with Art. 8 Sec. 1 DPO.

Visitors who have registered for a webinar will receive a participation link for that webinar from Livestorm SAS to the email address they have provided. In the run-up to the webinar, registered Visitors may receive emails with event reminders and further information on the topic of the webinar, possibly combined with the opportunity to submit questions. Upon completion of the webinar, registered Visitors will receive another email thanking them for attending the webinar or, in the case of non-attendance, indicating that they missed the webinar. If the webinar was recorded, registered Visitors will be provided with a download link for the video recording.

Categories of Processed Personal Data

When registering for a webinar, the following personal data is processed on the Threema Servers and disclosed to Livestorm SAS:

  • First name;
  • Last name;
  • Company;
  • Country;
  • Email address;
  • Customer status.

To protect the Threema Website from misuse, Threema uses a captcha from the hCaptcha service (see Section 2.J.).

Purpose

The aforementioned personal data is processed by Threema and disclosed to Livestorm SAS for the following purposes:

  • Registration and participation in webinars;
  • Marketing.

Legal Basis

The processing of the Visitor’s personal data for the registration and participation in a webinar only takes place if the Visitor has given Threema their voluntary consent for the processing of this personal data, including its disclosure to Livestorm SAS; Art. 31 Sec. 1 FADP [for EU/EEA: Art. 6 Sec. 1 lit. a GDPR].

Storage Period

The personal data provided by the Visitor for the registration and participation in a webinar is automatically deleted from the Threema Servers after being disclosed to Livestorm SAS. Threema will then import the personal data provided from the Livestorm service to the Threema Servers and process them beyond the webinar to initiate or conduct consultations (see Section 2.G.).

For the storage period of the Visitor’s personal data at Livestorm SAS, the privacy policy of Livestorm SAS applies, which can be found under this external link.

G. Further Processing of Personal Data for Consultations (Business Customers Only)

Processing

Personal data from Visitors of the Threema Website collected by Threema in the context of prize draws aimed at business customers (Section 2.D.), Business Contact Forms (Section 2.E.), and webinars (Section 2.F.) will be further processed by Threema in order to conduct consultations with potential business customers about Threema’s business products and services or to provide them with relevant information to initiate consultations.

Visitors who are contacted by Threema for consultations may declare their disinterest at any time in order not to be contacted by Threema for consultations in the future.

Note: Only personal data from forms on the Threema Website aimed at business customers will be further processed for consultations.

Categories of Processed Personal Data

In order to conduct consultations, the following personal data, obtained under Sections 2.D., 2.E., and 2.F., is processed and stored on the Threema Servers:

  • First name;
  • Last name;
  • Company;
  • Country;
  • Email address;
  • Telephone number;
  • Customer status.

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Marketing.

Legal Basis

The processing of the Visitor’s personal data for consultation purposes is based on the overriding private interest (marketing) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

This data processing is necessary to conduct consultations with potential business customers about Threema’s business products and services or to provide them with relevant information.

Storage Period

Threema processes personal data to conduct consultations either until revocation, i.e., until the affected Visitor declares their disinterest in consultations, or for a maximum of 12 months, counting from the Visitor’s last reaction to being contacted for consultations by Threema. As soon as a Visitor declares their disinterest in consultations or does not respond to consultation offers during 12 months, their personal data will be deleted from the Threema Servers within 14 days at the latest.

H. Newsletters

Processing

Visitors of the Threema Website may subscribe to various newsletters of Threema, which are aimed at consumers or business customers.

Threema uses the “Double Opt-in” procedure for the Visitors’ consent to receive newsletters. Threema only sends a newsletter by email to a Visitor of the Threema Website if they have expressly consented to receive it in advance.

For this purpose, after submitting a newsletter subscription form, the Visitor receives a notification email in which they are asked to confirm the newsletter subscription via the link in the email.

Visitors may revoke their consent at any time and unsubscribe from the newsletter, either by clicking on a link at the end of each newsletter email or by sending a corresponding cancellation request to the following email address of Threema: marketing at threema dot ch

Categories of Processed Personal Data

To distribute the newsletter, the following personal data is processed and stored on the Threema Servers:

  • Email address.

To protect the Threema Website from misuse, Threema uses a captcha from the hCaptcha service (see Section 2.J.).

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Marketing.

Legal Basis

The processing of the Visitor’s email address for the distribution of newsletters only takes place if the Visitor has given Threema their voluntary consent for the processing of this personal data; Art. 31 Sec. 1 FADP [for EU/EEA: Art. 6 Sec. 1 lit. a GDPR].

Storage Period

The email address provided by the Visitor is stored on the Threema Servers until revocation of consent, i.e., until unsubscribing from every newsletter, and then immediately deleted.

I. Press Releases

Processing

Visitors of the Threema Website may subscribe to Threema’s press distribution list, which is primarily aimed at journalists and press representatives.

Threema uses the same Double Opt-in procedure for the Visitors’ consent to receive press releases as for the newsletter (see Section 2.H.).

Visitors may revoke their consent at any time and unsubscribe from the press distribution list, either by clicking on a link at the end of each press release email or by sending a corresponding cancellation request to the following email address of Threema: press at threema dot ch

Categories of Processed Personal Data

To distribute press releases, the following personal data is processed and stored on the Threema Servers:

  • Email address.

To protect the Threema Website from misuse, Threema uses a captcha from the hCaptcha service (see Section 2.J.).

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

  • Public relations.

Legal Basis

The processing of the Visitor’s email address for the distribution of press releases only takes place if the Visitor has given Threema their voluntary consent for the processing of this personal data; Art. 31 Sec. 1 FADP [for EU/EEA: Art. 6 Sec. 1 lit. a GDPR].

Storage Period

The email address provided by the Visitor for the subscription to the press distribution list is stored on the Threema Servers until revocation of consent by the Visitor and then immediately deleted.

J. Misuse Protection (hCaptcha)

Processing

In order to protect the Threema Website from misuse through forms submitted by machines, Threema uses the captcha of the “hCaptcha” service for all forms used on the Threema Website.

hCaptcha is a service of Intuition Machines, Inc., 350 Alabama St, San Francisco, CA 94110, USA (hereinafter “Intuition Machines”). hCaptcha is “ISO 27001”-certified. Visitors can find more information on data protection at Intuition Machines under this external link.

The USA as the registered office of Intuition Machines and the probable place of data processing of the hCaptcha service is not included in the list of states under Annex 1 to the DPO; therefore, its legislation does not ensure adequate data protection; Art. 16 Sec. 1 FADP in connection with Art. 8 Sec. 1 DPO.

For this reason, personal data disclosed to Intuition Machines is converted to a one-way encrypted hash value on the Threema Servers before it is disclosed.

Note: No personal data is disclosed to Intuition Machines; identification of Visitors is thereby not possible.

Categories of Processed Personal Data

When solving a captcha, the following personal data is processed on the Threema Servers and disclosed to Intuition Machines in pseudonymized form:

  • IP address (one-way encrypted).

Purpose

The aforementioned personal data is processed by Threema and disclosed to Intuition Machines in pseudonymized form for the following purposes:

  • Information security.

Legal Basis

The processing of IP addresses on the Threema Servers and their disclosure to Intuition Machines in pseudonymized form is based on the overriding private interest (misuse protection) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

This data processing is necessary to prevent misuse through forms on the Threema Website submitted by machines.

Storage Period

After their pseudonymization and their disclosure to Intuition Machines in pseudonymized form, the IP addresses of Visitors are immediately deleted on the Threema Servers.

Processing

In order to analyze the effectiveness of marketing measures aimed at business customers, Threema uses affiliate links on the Threema Website and on third-party websites, which redirect a Visitor to the Threema Website.

When a Visitor clicks on an affiliate link, a cookie (hereinafter “Threema Cookie”) is created in the browser of the Visitor’s end device. Cookies are generally small text files that a browser automatically creates and stores on the respective end device.

The Threema Cookie only stores the information about the path (e.g., a specific button on the Threema Website or a specific advertising banner on a third-party website) the Visitor used to ultimately create a customer account for the web-based software “Threema Work” for business customers. A Visitor with a Threema Cookie on his end device only becomes identifiable for Threema when transmitting personal data to the Threema Servers to create a customer account for Threema Work.

Note: Without creating a customer account for Threema Work, a Visitor is not identifiable for Threema via the Threema Cookie; identification of consumers is thereby not possible.

Categories of Processed Personal Data

As long as no customer account for Threema Work is created by a Visitor with a Threema Cookie, no personal data is processed within the scope of this processing activity.

Purpose

The Threema Cookie is processed by Threema for the following purposes:

  • Marketing analysis.

Legal Basis

The processing of the Threema Cookie on the Threema Servers is based on the overriding private interests (analysis of the effectiveness of marketing measures) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

This data processing is necessary to analyze the effectiveness of marketing measures. By not storing any other information in the Threema Cookie than the Visitor’s path, and by not making it possible to identify the Visitor until they create a customer account for Threema Work, the privacy of a Visitor to the Threema Website is respected to the greatest possible extent.

Storage Period

The Threema Cookie is stored on the Visitor’s end device for 90 days and then automatically deleted.

3. Disclosure of Data to Third Parties

Principally, Threema does not disclose to third parties any personal data that is transmitted by the Visitor when visiting and interacting with the Threema Website and that is then processed and stored on the Threema Servers.

Registering For and Participating in Webinars via Livestorm of Livestorm SAS

In connection with the registration and participation in webinars, personal data of Visitors, namely their first names, last names, companies, countries, email addresses, and customer status, are processed by Livestorm SAS in Ireland (see Section 2.F.)

Threema reserves the right to disclose personal data to third parties (e.g., lawyers) if it is necessary for the assertion, exercise, or defense of legal claims by Threema.

4. Collection of Data from Third Parties

Principally, Threema does not collect from third parties any personal data that is transmitted by the Visitor when visiting and interacting with the Threema Website and that is then processed and stored on the Threema Servers.

5. Data Security

Threema takes all necessary technical and organizational measures to prevent unauthorized access and misuse of data of Visitors to the Threema Website. The security measures are continuously improved in line with technological developments.

6. Rights of the Visitor

As data subjects, Visitors of the Threema Website can assert various claims under data protection law against Threema.

In order to fulfil these claims, Threema may have to process personal data of data subjects. In particular, Threema must be able to identify the data subject in order to ensure that the data subject rights are not exercised by anyone other than the data subject and that no personal data is unlawfully disclosed to third parties.

Depending on the applicable law, data subjects may exercise the following rights in relation to personal data against Threema:

Right to Information

Art. 25 and 26 FADP [for EU/EEA: Art. 15 GDPR]

A data subject has the right to request information about their personal data processed by Threema.

Right to Correction or Completion

Art. 32 Sec. 1 FADP [for EU/EEA: Art. 16 GDPR]

A data subject has the right to request that Threema corrects inaccurate or completes incomplete personal data without undue delay.

Right to Deletion

Art. 32 Abs. 2 FADP [for EU/EEA: Art. 17 GDPR] A data subject has the right to request that Threema deletes their personal data without undue delay.

Right to Withdrawal of Consent

only for data processing based on consent; Art. 30 Sec. 2 FADP [for EU/EEA: Art. 7 Sec. 3 GDPR]

A data subject has the right to withdraw their consent to the processing of their personal data by Threema. This has the consequence that Threema may no longer continue the data processing based on this consent. The processing of the Visitor’s personal data by Threema up to this point in time on the basis of the Visitor’s consent remains lawful.

Right to Objection

only for data processing based on legitimate interests; Art. 30 Sec. 2 FADP [for EU/EEA: Art. 21 GDPR]

A data subject has the right to object to the processing of their personal data by Threema where such personal data is processed based on Threema’s overriding private interests; Art. 31 DSG [for EU/EEA: Art. 6 Sec. 1 lit. f GDPR].

Right to Blocking

Art. 32 FADP [for EU/EEA: Art. 18 GDPR]

For the protection of their personality, a data subject has the right to request that Threema blocks the processing of their personal data.

Right to Data Transfer

Art. 28 and 29 FADP [for EU/EEA: Art. 20 GDPR] [only for data processing based on consent or a contract and with the aid of automated procedures]

A data subject has the right to receive the personal data they have provided to Threema in a structured, commonly used, and machine-readable format, provided that:

  • the processing is based on consent or on a contract; and
  • the processing is carried out with the aid of automated procedures.

7. Timeliness and Amendment of this Privacy Policy

Threema reserves the right to amend this Privacy Policy from time to time in order to comply with changed legal requirements or to implement new functionalities in the Privacy Policy. The current Privacy Policy is always linked on the Threema Website.