06. November 2019
Threema GmbH (hereafter “Threema”) was founded on the premise of bulletproof data protection. It is our primary goal to store only the absolute minimum of information for the shortest possible time (“Privacy by Design”). In addition to using state-of-the-art encryption methods, we take all necessary technical and organizational measures to prevent unauthorized data access and misuse. The processing and protection of data is carried out in accordance with applicable legal regulations, particularly with the EU Regulation 2016/679 (GDPR).
By creating a Threema Broadcast admin account (hereinafter referred to as “Account”) and using the Service, you consent to the collection, processing and use of data as described below.
1. General Information
The Service enables the Client to communicate with users of the Threema and Threema Work apps and manage end users and administrators of the Service with a web interface and/or API.
2. Purpose of Data Processing
Threema processes personal data to
- enable the Client to create an Account,
- enable administrators to access the web interface and to place orders, and
- provide interactive, web-based communication tools to app users.
The data processed within the scope of order fulfillment will be processed exclusively by Threema on its own server infrastructure in Switzerland and will not be passed on to third parties.
Based on Art. 5 (1) GDPR, personal data is processed solely as a result of self-declaration and only to the extent required for the Use of the Service.
3. Scope and Duration of Data Processing
A. Inventory data
When creating an Account and when placing orders or making payments, the following inventory data is collected and stored:
- Required information
- Session cookie (identifies the current browser session so that the Client remains logged in during his or her website visit)
- Email address of administrators
- For credit card payments: name and address of the card holder
- Optional information
- First and/or last name of administrators
- Threema ID of administrators, if provided for two-factor authentication to log into the Account
- Name and postal address of the Client
B. Usage data
The provision of the Service requires that incoming and outgoing messages of a Broadcast ID be encrypted and decrypted on the server in order for the messages to be displayed in the Client’s web interface.
Depending on the use, messages are processed and/or stored within the scope of the Service according to the following list, whereas both messages and the private key of a Broadcast ID are stored individually for each Client in symmetrically encrypted form.
Solely processed, without being stored
- Incoming messages from feeds and distribution lists
- Incoming messages from group chats without activated option “Save message history”
Storage and processing
- Threema IDs (and optionally first name, surname and/or preferred correspondence language) of distribution-list recipients and feed subscribers
- Custom chatbot responses
- Outgoing messages of feeds and distribution lists
- Group chats with activated option “Save message history”: All incoming and outgoing messages of all group members of the selected Broadcast group chat as long as the option remains active (group chat members are automatically notified about the activation and deactivation of this option and can check its status anytime).
C. Time limits for erasure
- Session cookie: 30 minutes
- Except for the statutory retention period, inventory data is only stored until deleted by the customer.
- Usage data without storage will be deleted immediately after processing.
- Usage data with storage is stored until the Client deletes it or the Account is closed.
4. Data Processed by Third Parties
5. Right to Information, Correction, Blocking, Deletion and Appeal
The Client has the right to receive information about his personal data stored by Threema at any time. Likewise, he has the right to correct, block, or delete his personal data, apart from the legally required data storage for business purposes.
The Client has access to this information and the appropriate tools for its management. Threema will take necessary measures according to Client's instructions if the Client cannot implement them with the tools provided.
The Client can change or revoke his consent with effect for the future with a message to Threema and exercise their right of appeal at the competent authority.
6. Responsible Body
If you have any questions about data protection at Threema or would like to exercise your rights, you can contact us directly. Send us an email to firstname.lastname@example.org.
Responsible body and direct contact for questions on data protection at Threema in terms of data privacy law:
Threema GmbH Data Protection Officer Churerstrasse 82 8808 Pfäffikon SZ Switzerland email@example.com CHE-221.440.104
Representative in the EU according to Art. 27 (1) GDPR: GeKaCe GmbH, Dept. T, Weilerweg 13, 72411 Bodelshausen, Germany.
This is a mere translation of the German version of this document. In case of any discrepancies between the English and German text, the German version shall prevail.