Privacy Policy

1. General

The “Threema App” was developed to process and store as little metadata as possible on a central server. The identification of a user of the Threema App (hereinafter “User”) takes place exclusively via an 8-digit alphanumeric ID (hereinafter “Threema ID”) and a public key, both of which are randomly generated by the User when setting up the Threema App.

A. Scope of Application

This Privacy Policy applies to all data processing activities that take place while using the Threema App in its latest version and are related to personal data, namely:

A. Setting up the Threema App;
B. Address Book Synchronization;
C. Sending Messages;
D. Sending Messages to Broadcast IDs;
E. Voice and Video Calls;
F. Group Calls;
G. License Verification;
H. Crash Reports.

Threema as the data controller is a limited liability company under Swiss law with its registered office in Pfäffikon SZ (municipality of Freienbach), Switzerland, and business identification number (hereinafter “UID”) CHE-221.440.104.

When a User uses the Threema App, personal data is, unless otherwise stated in this Privacy Policy, processed and, if necessary, stored exclusively on Threema’s own servers in two data centers of an “ISO 27001”-certified colocation partner located in Zurich, Switzerland (hereinafter “Threema Servers”).

As a company with its registered office in Switzerland, Threema and the data processing it carries out are subject to Swiss data protection law (Federal Act on Data Protection of September 25, 2020, SR 235.1; hereinafter “FADP”). For data subjects residing in the territory of the EU or the EEA (marked with “for EU/EEA”), European data protection law (Regulation (EU) 2016/679 of April 27, 2016, General Data Protection Regulation; hereinafter “GDPR”) may additionally apply.

Personal data pursuant to Art. 5 lit. a FADP [for EU/EEA: Art. 4 No. 1 GDPR] is information that relates to an identified or identifiable natural person.

B. Controller

Threema GmbH
Churerstrasse 82
8808 Pfäffikon SZ
Switzerland

UID: CHE-221.440.104

C. Data Protection Officer

Threema GmbH
Data Protection Officer
Churerstrasse 82
8808 Pfäffikon SZ
Switzerland

Email: privacy at threema dot ch

D. Representative in the EU (Art. 27 GDPR)

ACC Datenschutz UG
Messestrasse 6
94036 Passau
Germany

E. Swiss Supervisory Authority

Federal Data Protection and Information Commissioner (FDPIC)
Feldweg 1
3003 Bern
Switzerland

Telephone: +41 58 462 43 95
Contact form of the FDPIC: Link

2. Processing Activities

Depending on how a User uses the Threema App, Threema processes different categories of personal data about the User for different purposes, based on different legal bases and with different storage periods, if any personal data is stored at all.

A. Setting up the Threema App

Processing

In addition to the Threema ID and the key pair (public and private key), various other data points are generated and linked to the Threema ID on the Threema Servers when the Threema App is set up on the User’s mobile device.

Categories of Processed Personal Data

When setting up the Threema App, the following personal data is generated and stored as inventory data on the Threema Servers:

Note: On mobile devices without Google Play services and in the “Threema Libre” version of the Threema App, no Google push tokens are generated. Users can find more information on Threema Libre on the Threema website: Link

The following personal data, which is optional for the use of the Threema App, may be provided voluntarily by the User and is stored only in the form of one-way encrypted hash values as inventory data on the Threema Servers:

All personal data, including the one-way encrypted hash values, is protected on its way to the Threema Servers by transport encryption in order to make it impossible for third parties to intercept the data.

Note: Before a User’s telephone number and/or email address is linked to their Threema ID, this personal data must be verified as being that of the User in an automated process.

Email address verification: To verify a User’s email address, it is transmitted to the Threema Servers after having been entered in the Threema App, and processed in plain text in order to send the User an email with a confirmation link.

Telephone number verification: For the verification of a User’s telephone number, it is transmitted to the Threema Servers after having been entered in the Threema App, and processed in plain text. The User will then receive a confirmation code by SMS.

For the delivery of the confirmation code to the User to verify the telephone number, Threema relies on the services “eCall” of F24 Schweiz AG, Samstagernstrasse 45, 8832 Wollerau, Switzerland, (hereinafter “F24”) as well as “IMASYS” of Swissphone Wireless AG, Fälmisstrasse 21, 8833 Samstagern, Switzerland (hereinafter “Swissphone”). Both F24 and Swissphone are “ISO 27001”-certified and host their services “eCall” and “IMASYS” in Switzerland. Users can find more information on data protection at F24 and Swissphone on the websites of F24 (Link) and Swissphone (Link).

Note for Users outside of Switzerland and EU/EEA: To deliver the confirmation codes by SMS to Users outside of Switzerland and EU/EEA, Threema relies on the services of Twilio Inc., 101 Spear Street, 5th Floor, San Francisco, California, 94105, USA (hereinafter “Twilio”). Users can find more information on data protection at Twilio under the following link from Twilio: Link

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

Legal Basis

The processing and storage of personal data for setting up the Threema App is based on the overriding private interest (use of the Threema App by the User; contract performance) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

The processing of the User’s personal data for setting up the Threema App is necessary to enable the User to use the Threema App as contractually agreed.

Storage Period

The push token stored when setting up the Threema App is stored on the Threema Servers for a maximum of 1 year, calculated from the date of the last connection of a Threema ID to the Threema Servers, and then automatically deleted. The User may delete the stored push token at any time (see Section 6).

The one-way encrypted hash values of the telephone number and/or email address of the User are stored on the Threema Servers until revocation so that Users who reactivate their Threema ID with a backup do not have to relink this data. The User may delete this data at any time (see Section 6).

The telephone number and/or email address of the User processed for verification is stored on the Threema Servers for a maximum of 1 month as a one-way encrypted hash value, provided the User does not complete the verification process. In the event of successful verification, the telephone number and/or email address are linked as one-way encrypted hash values to the Threema ID of the User.

B. Address Book Synchronization

Processing

In order to facilitate finding other Users of the Threema App, a User may voluntarily enter their telephone number and/or email address in the Threema App and link it to their Threema ID (see Section 2.A.).

If Users voluntarily activate the optional contact synchronization in the Threema App, one-way encrypted hash values of telephone numbers and/or email addresses in the contact list of their mobile device are transmitted to the Threema Servers manually (by pulling down the screen) or automatically approximately every 24 hours to search for identical hash values of telephone numbers and email addresses that other Users have linked to their Threema IDs. If identical hash values are found that other Users have linked with their Threema ID, these Users will appear in the Threema App contact list stored on the mobile device. In this way, the locally stored contact list of the Threema App automatically stays up to date.

Categories of Processed Personal Data

For address book synchronization, the following personal data is processed on the Threema Servers only as one-way encrypted hash values:

In addition, the one-way encrypted hash values are protected on their way to the Threema Servers by transport encryption in order to make it impossible for third parties to intercept the hash values.

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

Legal Basis

The processing of the telephone number and/or email address of a User and of persons in the contact list on the User’s mobile device (only in the form of one-way encrypted hash values) for address book synchronization in a User’s contact list in the Threema App is based on the overriding private interest (use of the Threema App by the User; contract performance) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

The processing of telephone numbers and/or email addresses of persons in the contact list on a User’s mobile device is necessary to enable the User to use the Threema App as contractually agreed.

Storage Period

The storage period of the telephone number and/or email address provided by the User is identical to the storage period for inventory data processed for setting up the Threema App (see Section 2. A.).

The one-way encrypted hash values of the telephone numbers and/or email addresses of persons in the contact list on a User’s mobile device are immediately deleted from the Threema Servers after an address book synchronization has been performed. They are never permanently stored on the Threema Servers, unlike the telephone number and/or email address linked with a User’s Threema ID.

C. Sending Messages

Processing

The Threema App encrypts all message content (text messages, media files, and system messages) and voluntarily and optionally set nicknames and profile pictures of Users by means of a secure end-to-end encryption process.

Since the private key to decrypt a message is stored exclusively on the recipient’s mobile device, Threema doesn’t have access to message contents of Users.

Interested Users can find more information about the encryption in the Threema App in Threema’s Cryptography Whitepaper on the Threema website: Link

D. Sending Messages to Broadcast IDs

Processing

In addition to the Threema App for consumers, Threema also offers “Threema Work,” a software for business customers. Threema Work offers additional features compared to the Threema App, including “Threema Broadcast.

With Threema Broadcast, special Threema IDs can be created. They are marked with an asterisk (“*”) at the beginning of the 8-digit ID (hereinafter “Broadcast ID”).

Broadcast IDs are principally used for one-way one-to-many communication, i.e., sending the same message to several Users, whereas between Users of the Threema App, two-way one-to-one communication takes place. Users of the Threema App are still able to send messages to Broadcast IDs.

Note: A Broadcast ID can receive messages from Users like a Threema ID. As the endpoint of the end-to-end encryption, such messages will be decrypted by the private key of the Broadcast ID on the Threema Servers, but they are never permanently stored (with one exception).

“Save Chat History” feature: With Broadcast IDs, groups can be created, and Users of the Threema App can be invited to such groups. In such groups, the business customer behind the Broadcast ID has the option to activate the “Save Chat History” feature.

Groups of a Broadcast ID, in which the “Save Chat History” feature has been activated, can be recognized by the cloud emoji (☁️), which is technically mandatory and prefixed to the name of the group of the Broadcast ID. Users who were members of such a group before activation (or deactivation) of the feature automatically receive a warning in the form of a system message.

If this feature is activated, all encrypted message content sent into the group of a Broadcast ID by Users is not only decrypted on the Threema Servers upon receipt by the Broadcast ID, but also stored.

Note: The controller responsible for the processing of decrypted message contents in connection with the use of the “Save Chat History” feature of a Broadcast ID is the respective business customer of Threema, who decides on the activation and thus the purposes and means of this data processing. Threema processes this personal data on behalf of its business customer, i.e., as a processor.

Categories of Processed Personal Data

Upon receipt of a message by a Broadcast ID, the following personal data is processed and, if the “Save Chat History” feature is activated, stored on the Threema Servers:

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

Legal Basis

The processing of decrypted message contents of Users and their storage in a group of a Broadcast ID, in which the “Save Chat History” feature has been activated, is based on the overriding private interest (contract performance) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

This data processing is necessary to enable business customers to use Threema Broadcast as contractually agreed.

Storage Period

The decrypted message content is stored on the Threema Servers for the following durations, calculated from receipt by the Broadcast ID, and then automatically deleted:

E. Voice and Video Calls

Processing

In addition to exchanging text messages and media files, Users of the Threema App can also communicate with each other independently of the public telephone network via internet-based voice and video calls.

An encrypted system message (see Section 2.C.) is sent when starting voice and video calls to establish the call with the correct User of the Threema App and to inform them of the incoming call. The callee answers with a corresponding encrypted system message, which informs the calling User whether the callee accepts or declines the call.

If the callee accepts the call, the IP addresses of the two Users are transmitted to and processed on the Threema Servers. In principle, the processing ends with the establishment of a direct peer-to-peer connection between the Users without further processing of the IP addresses on the Threema Servers. Further transmission of the voice or video call is only carried out via the Threema Servers in the following cases:

Like for sending messages (see Section 2.C.), the Threema App encrypts all voice and video call contents using a secure end-to-end encryption process. Threema doesn’t have access to the Users’ call contents.

Categories of Processed Personal Data

To establish voice and video calls between Users, and to transmit them via the Threema Servers if no peer-to-peer connection can be established, the following personal data is processed on the Threema Servers:

The IP addresses of the call participants are only processed after the callee has accepted the voice or video call.

Users can deactivate voice and video calls in the Threema App.

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

Legal Basis

The processing of IP addresses for the establishment and potential transmission of voice and video calls is based on the overriding private interest (use of the Threema App by the User; contract performance) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

This processing of IP addresses for the establishment and potential transmission of voice and video calls is necessary to enable the User to use the Threema App as contractually agreed.

Storage Period

The IP addresses of the Users are immediately deleted from the Threema Servers after the peer-to-peer connection between the call participants has been successfully established or, if the call is transmitted via the Threema Servers, after the voice or video call has been terminated. IP addresses are never permanently stored on the Threema Servers for voice and video calls.

F. Group Calls

Processing

In addition to individual voice and video calls between two Users, the Threema App also offers “Group Calls” with more than two Users at the same time.

As a member of a group, a User can start a Group Call with the other members of the group. Like individual calls, a Group Calls allows both voice and video transmission.

Group Calls are only transmitted via special servers, so-called “Selective Forwarding Units” (hereinafter “SFU”). To start a Group Call, a User must first establish a connection to the SFU, for which their IP address is processed. As soon as the connection to the SFU has been successfully established, a system message notifies the other members of a group that a Group Call has been started and they can join. Like for the establishment of individual voice and video calls, encrypted system messages (see Section 2.C.) are sent by the Threema App to enable the correct Users of the Threema App to join the Group Call and to inform them that the Group Call has been started.

After informing the other members of the group with a system message, the Threema Apps of all members of a group, including of the one who started the Group Call, will continually request the status of the Group Call on the SFU until the Group Call is terminated. As long as the Group Call is active, the IP addresses of all members of the group, including of those who do not join the Group Call, are continually processed in order to request the status of the Group Call on the SFU, and permanently processed to maintain the connection to the SFU during participation in the Group Call.

Categories of Processed Personal Data

To establish and transmit a Group Call, the following personal data is processed on the SFU:

Unlike individual voice and video calls, the IP addresses of Users who are members of a group in the Threema App in which a User has started a Group Call are processed on the SFU as soon as the system message is delivered that a Group Call has been started.

Note: This processing of IP addresses also takes place if a User has deactivated Group Calls in the Threema App.

For Group Calls, the Threema Servers are used and SFU operated by Leaseweb Netherlands B.V., Hessenbergweg 95, 1101 CX Amsterdam, the Netherlands (hereinafter “Leaseweb”). The SFU are located in an “ISO 27001”-certified data center of Leaseweb in Amsterdam, the Netherlands. Users can find more information on data protection at Leaseweb on the website of Leaseweb: Link

The Netherlands is a member of the European Union, falls within the scope of application of the GDPR, and is included in the list of states under Annex 1 to the Ordinance on Data Protection of August 31, 2022 (“DPO”; SR 235.11); therefore, its legislation does ensure adequate data protection; Art. 16 Sec. 1 FADP in connection with Art. 8 Sec. 1 DPO.

Like for individual voice and video calls (see Section 2.E.), the Threema App encrypts all Group Call contents with a secure end-to-end encryption process. Neither Threema nor Leaseweb have access to the Users’ call content.

Purpose

The aforementioned personal data will be processed by Threema for the following purposes.

The use of Leaseweb’s SFU for Group Calls serves the purpose of ensuring the lowest possible latency and smooth communication for Users of the Threema App when using Group Calls.

Legal Basis

The processing of IP addresses for the establishment and potential transmission of Group Calls is based on the overriding private interest (use of the Threema App by the User; contract performance) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

The processing of IP addresses for the establishment and potential transmission of Group Calls is necessary to enable the User to use the Threema App as contractually agreed.

Storage Period

The IP addresses of Users that are processed on the SFU for the establishment and transmission of Group Calls are immediately deleted from the SFU after the Group Call has ended, irrespective of whether the SFU are those of Threema or Leaseweb. IP addresses are never permanently stored for Group Calls.

G. License Verification

Processing

Threema finances its business by collecting license fees instead of selling the data of its Users. When generating a Threema ID during the set-up of the Threema App, an automatic license verification is performed to verify the User’s authorization to use the Threema App.

During the license verification, a pseudonymized digital purchase receipt from the app store (Apple/Google/Huawei) where the User purchased the Threema App is transmitted to the Threema Servers and verified. A one-way encrypted version of this purchase receipt is stored as a hash value together with a counter, and the purchase receipt is then immediately deleted.

Note: The User’s purchase receipt transmitted to Threema is not linked to the User’s Threema ID.

If a license key from Threema’s own “Threema Shop” (Link to the Threema Shop) is used for licensing, the license key is transmitted and verified on the Threema Servers instead of the purchase receipt. After verification, the license key is stored together with a counter on the Threema Servers.

Note: The User’s license key transmitted to Threema is not linked to the User’s Threema ID.

Categories of Processed Personal Data

If the Threema App has been purchased from an app store, the following personal data is processed for license verification during the set-up of the Threema App:

If the Threema App has been purchased via the Threema Shop, the following personal data is processed for license verification during the set-up of the Threema App:

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

Legal Basis

This data processing is based on the overriding private interest (contract performance) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR].

Necessity

This data processing is necessary to verify the User’s authorization to use the Threema App, and thus to prevent misuses and piracy.

Storage Period

The one-way encrypted hash value of the pseudonymized digital purchase receipt and the license key are stored together with a counter on the Threema Servers for 30 days and then automatically deleted.

H. Crash Reports

Processing

In order to improve the stability and reliability of the Threema App and to further develop the Threema App, Threema relies on crash reports from Users.

It depends on the operating system of the mobile device (Android or iOS) used by the User which data is processed by Threema when evaluating crash reports of the Threema App and how this data is collected by Threema.

Note: As an alternative independent from the operating system, Users of the Threema App can voluntarily send crash reports within the Threema App to the Threema ID “*SUPPORT.” To send crash reports via the Threema App, the debug log (hereinafter “Debug Log”) must be activated in the Threema App. The Debug Log is never sent automatically to Threema, but only manually by the User.

Categories of Processed Personal Data

iOS: No personal data is processed by Threema when evaluating crash reports from Users with an iOS operating system.

Android: No personal data is processed by Threema when evaluating crash reports from Users with an Android operating system.

Debug Log of the Threema App: The following personal data is processed when evaluating Debug Logs of the Threema App:

Purpose

The aforementioned personal data is processed by Threema for the following purposes:

Legal Basis

The processing of Debug Logs is based on the overriding private interest (bug fixing and improvement of the product) of Threema; Art. 31 Sec. 2 lit. a FADP [for EU/EEA: Art. 6 Sec. 1 lit. b GDPR.

Necessity

This data processing is necessary to fix bugs of the Threema App and to further improve the Threema App.

Storage Period

The data from Debug Logs of the Threema App is stored by Threema on the Threema Servers until their analysis and then anonymized or deleted.

3. Disclosure of Data to Third Parties

Principally, Threema does not disclose to third parties any personal data that is transmitted by the User when using the Threema App and that is then processed and stored on the Threema Servers.

Verification of Telephone Numbers with F24 or Swissphone

In connection with the verification of telephone numbers, personal data of Users, namely their telephone numbers, is processed by F24 or Swissphone in Switzerland (see Section 2.A.).

Verification of Telephone Numbers with Twilio (Only for Users Outside of Switzerland and EU/EEA)

In connection with the verification of telephone numbers of Users outside of Switzerland and EU/EEA, personal data, namely their telephone numbers, is processed by Twilio in the USA (see Section 2.A.).

Group Calls via SFU of Leaseweb

In connection with Group Calls, personal data of Users, namely their IP address, may be processed by Leaseweb in the Netherlands (see Section 2.F.).

Threema reserves the right to disclose personal data to third parties (e.g., lawyers) if it is necessary for the assertion, exercise, or defense of legal claims by Threema.

4. Collection of Data from Third Parties

Principally, Threema does not collect from third parties any personal data that is transmitted by the User when using the Threema App and that is then processed and stored on the Threema Servers.

5. Data Security

In addition to using state-of-the-art encryption methods, Threema takes all necessary technical and organizational measures to prevent unauthorized access and misuse of data of Users of the Threema App. The security measures are continuously improved in line with technological developments.

6. Control Options of the User

In addition to the legal claims of data protection law (see Section 7), Threema provides Users the following control options over their personal data:

Rectification, Completion, and Deletion of Telephone Numbers and Email Addresses

The User may rectify or complete their telephone number and/or email address in the Threema App under “My Profile.

The User may unlink their telephone number and/or email address from their Threema ID at any time by deleting the corresponding data in the Threema App under “My Profile.

Alternatively, the User may also unlink the data on the Threema website: Link

The corresponding one-way encrypted hash values of the User’s telephone number and/or email address will then be deleted immediately from the Threema Servers.

Deletion of Push Tokens

The User may delete the push tokens currently linked to their Threema ID at any time by resetting the push tokens in the Threema App under “About Threema > Troubleshooting”.

Threema Push Instead of Google Push Token

Users may use Threema’s own push service “Threema Push” as an alternative to the Google push token. Users can find out more about Threema Push in the corresponding FAQ article on the Threema website.

Information About Inventory Data

Users may request information about their inventory data, including personal data, stored by Threema and linked to the User’s Threema ID at any time by sending the message “info” to the Threema ID “*MY3DATA.” Users can find out more in the corresponding FAQ article on the Threema website.

Deletion of All Inventory Data by Revocation

The User may immediately delete their Threema ID and all information linked with it, including personal data, at any time. To do so, the User must revoke their Threema ID via the following link on the Threema website: Link

The revocation of the Threema ID is irreversible, and a Revocation Password must be set in advance in the Threema App.

7. Rights of the User

As data subjects, Users of the Threema App can assert various claims under data protection law against Threema.

In order to fulfil these claims, Threema may have to process personal data of data subjects. In particular, Threema must be able to identify the data subject in order to ensure that the data subject rights are not exercised by anyone other than the data subject and that no personal data is unlawfully disclosed to third parties.

Regarding the processing of personal data through the use of the Threema App, secure identification of the data subject is only possible via algorithmic proof of possession of the private key associated with the Threema ID via a so-called key derivation. This is ensured in the case of automated inventory data information for Users of the Threema App via the Threema ID “*MY3DATA” (see Section 6).

Depending on the applicable law, data subjects may exercise the following rights in relation to personal data against Threema:

Right to Information

Art. 25 and 26 FADP [for EU/EEA: Art. 15 GDPR]

A data subject has the right to request information about their personal data processed by Threema.

Right to Correction or Completion

Art. 32 Sec. 2 FADP [for EU/EEA: Art. 16 GDPR]

A data subject has the right to request that Threema corrects inaccurate or completes incomplete personal data without undue delay.

Right to Deletion

Art. 32 Sec. 2 FADP [for EU/EEA: Art. 17 GDPR]

A data subject has the right to request that Threema deletes their personal data without undue delay.

Right to Withdrawal of Consent

only for data processing based on consent; Art. 30 Sec. 2 FADP [for EU/EEA: Art. 7 Sec. 3 GDPR]

A data subject has the right to withdraw their consent to the processing of their personal data by Threema. This has the consequence that Threema may no longer continue the data processing based on this consent. The processing of the User’s personal data by Threema up to this point in time on the basis of the User’s consent remains lawful.

Right to Objection

only for data processing based on legitimate interests; Art. 30 Sec. 2 FADP [for EU/EEA: Art. 21 GDPR]

A data subject has the right to object to the processing of their personal data by Threema where such personal data is processed based on Threema’s overriding private interests; Art. 31 DSG [for EU/EEA: Art. 6 Sec. 1 lit. f GDPR].

Right to Blocking

Art. 32 FADP [for EU/EEA: Art. 18 GDPR]

For the protection of their personality, a data subject has the right to request that Threema blocks the processing of their personal data.

Right to Data Transfer

Art. 28 and 29 FADP [for EU/EEA: Art. 20 GDPR] [only for data processing based on consent or a contract and with the aid of automated procedures]

A data subject has the right to receive the personal data they have provided to Threema in a structured, commonly used, and machine-readable format, provided that:

8. Timeliness and Amendment of this Privacy Policy

Threema reserves the right to amend this Privacy Policy from time to time in order to comply with changed legal requirements or to implement new features in the Privacy Policy. The current Privacy Policy is always linked in the Threema App.