Transparency report

Threema is designed from the ground up to generate as little data as technically possible. The less data that is generated in the first place, the lower is the potential for misuse and theft.

We only store data that’s absolutely necessary for the operation of the service, and we store it for the shortest amount of time possible. In particular, we only store messages on the servers until successful delivery – once a message is delivered to the recipient, it is immediately and irreversibly deleted on the server. It’s not required to provide personal information in order to use Threema. We don’t store IP addresses, and we don’t keep message logs. For further details, please refer to our privacy policy.

With Threema, the user applies the encryption, not the service provider. The decryption of a message is only possible with the recipient’s private key. This private key was generated by the recipient, and we don’t have access to it. It is therefore technically impossible for us to decrypt users’ messages.

Threema GmbH is not required to store communication metadata (“data retention”), as it does not exceed the revenue limits set by the Federal Act on the Surveillance of Post and Telecommunications (BÜPF) (version in effect since 01.03.2018) and the accompanying decree VÜPF.

However, as before, Threema GmbH must provide information that it already has upon judicial order. Therefore, we make a point of processing and storing as little information about our users as possible.

Here is how we handle requests for information about our users from authorities:

  • According to article 26 paragraph 2 of the VÜPF, we only deal with inquiries placed through the PTSS according to the procedure mandated by the VÜPF, and that fully meet the formal requirements according to legal examination.
  • Foreign authorities have to make an official request for legal assistance in accordance with the Federal Act on International Mutual Assistance in Criminal Matters; we don’t deal with direct inquiries by foreign authorities.
  • If the legal requirements are fully met, we can provide the following information associated with a given Threema ID:
    • Hash of phone number, if provided by the user
    • Hash of email address, if provided by the user
    • Push token, if a push service is used
    • Public key
    • Date (without time) of Threema ID creation
    • Date (without time) of last login

Here’s a statistic of all requests by authorities that we have received since 2014:

Year Requests by Swiss authorities Requests by foreign authorities with Swiss legal assistance Requests that have met the formal requirements Requests that didn’t meet the formal requirements Handing over of data (# cases) Handing over of data (# IDs)
2018 23 2 23 2 22 64
2017 2 2 4 - 3 12
2016 - 1 1 - 1 1
2015 1 - - 1 - -
2014 - - - - - -

Last update: 19.11.2018