Transparency Report

Threema was developed from the ground up with data minimization and security in mind (Privacy by Design). For example, it is not required to provide personally identifiable information of any kind in order to use the service, and all types of communication (single and group chats, audio and video calls, etc.) are fully end-to-end encrypted.

The only way to decrypt a Threema message is by means of the intended recipient’s private key. Since nobody except the intended recipient has access to their private key, no one besides the intended recipient is able to decrypt their messages. In other words, not even Threema GmbH as the service provider can decrypt, let alone read, user messages.

Only as little data as possible is stored on Threema servers, and it is always stored for the shortest amount of time possible. Contact lists and group chats, for example, are managed directly on the users’ mobile devices, not on a central server.

Since Threema GmbH does not exceed the revenue limits set by the Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and the accompanying decree VÜPF, the company is not required to store communication metadata (“data retention”).

Upon judicial order, however, Threema GmbH has to provide the “information that is available” (Article 22 paragraph 3 BÜPF). According to Article 27 BÜPF, it could be obliged to store data for the purpose of disclosure in certain cases. By sending “info” to *MY3DATA, users can always retrieve their Threema ID’s inventory data that’s stored on the server side.

Requests for available user information are handled as follows:

  • Based on Article 26 paragraph 2 VÜPF, inquiries will only be processed if they have been submitted via the PTSS in accordance with the procedure mandated by the VÜPF and if they fully meet the formal requirements upon legal review.

  • Foreign authorities have to make an official request for legal assistance in accordance with the Federal Act on International Mutual Assistance in Criminal Matters. Threema does not handle inquiries by foreign authorities.

  • If and only if the legal requirements are fully met, the following information associated with a given Threema ID will be provided:

    • Date (without time) of the Threema ID’s creation

    • Date (without time) of Threema ID’s most recent login

  • The following information is only available if the user has chosen to use the respective optional functionality:

    • Only in case the user in question has chosen to link a phone number and/or email address with their Threema ID: Hash of the user’s phone number and/or email address

    • Only in case the user in question has chosen to use a third-party push service (and their ID was active within the last three months): Push token

Here is a breakdown of the user data that has been shared with authorities since 2014:

Year Requests by authorities* Requests that have
met the formal requirements
Requests that didn’t
meet the formal requirements
Provided data
(# cases)
Provided data
(# IDs)

2024

306

305

1

288

852

2023

177

177

0

170

810

2022

103

102

1

97

473

2021

80

78

2

71

369

2020

105

104

1

98

558

2019

101

98

3

93

317

2018

28

25

3

25

69

2017

2 (Swiss) / 2 (Foreign)

4

-

3

12

2016

0 (Swiss) / 1 (Foreign)

1

-

1

1

2015

1 (Swiss) / 0 (Foreign)

-

1

-

-

2014

0

-

-

-

-

Last update: 2024-12-31

* Since the new BÜPF act has come into force on March 1, 2018, Threema can no longer distinguish between requests by Swiss authorities and requests by foreign authorities with Swiss legal assistance.

Follow us

Threema

Made in Switzerland © 2025 Threema GmbH.