Threema takes data privacy very seriously. We strive to store only the absolutely necessary information for the shortest possible time. Furthermore, we take all usual technical measures to prevent unauthorized access to your data on our servers.
Security of messages
Kasper Systems GmbH as the operator of the Threema servers has no way to decrypt messages of Threema users because it does not have knowledge of their private keys.
The encrypted messages and media (images, videos etc.) are deleted on the servers as soon as they have been delivered successfully.
Header information of messages (sender, recipient etc.) is protected by an additional encryption layer for transmission to the server, and from the server to the recipient, to prevent eavesdropping by third parties (e.g. in open wireless LANs).
Address book data
Email addresses and phone numbers from the user's address book (if the user has enabled synchronization) are only transmitted to the server in one-way encrypted ("hashed") form and additionally protected using SSL. The servers only keep these hashes in volatile memory for a short time to determine the list of matching IDs, and then delete the hashes immediately. At no point are the hashes or the results of the synchronization written to disk.
Linking of email addressess and phone numbers
It is left at the discretion of the user whether or not they want to link their Threema ID with an email address or phone number. Threema can be used without this link; in that case, the user cannot be found automatically by other users via address book synchronization.
Email addresses and phone numbers that have been linked will only be stored for the purpose of synchronization and not given to third parties. They will also not be used for advertising purposes. Users can delete their links at any time.
Android: If the user explicitly chooses to submit a crash report about the Android app, information about the crash (state of the app at the time of the crash, last log messages) will be sent to Google and stored there for analysis by Kasper Systems GmbH.
In general, the regulations of the Swiss Federal Act of on Data Protection (FADP) as well as the Ordinance to the Federal Act on Data Protection (OFADP) apply.