Privacy Policy,1.
General,The “Threema Shop” (https://shop.threema.ch/) is a web-based offer by,Threema GmbH (hereinafter “Threema”) for “Customers” who want to,purchase licenses for the “Threema App” for mobile devices with Android,operating system and/or download the file for the Threema App.,Threema’s focus lies on data protection and privacy, which is why we,provide Customers of the Threema Shop and interested persons with the,information for transparent processing of their personal data in this,Privacy Policy.,A.
Scope of Application,This Privacy Policy applies to all data processing activities that take place,while visiting and interacting with the Threema Shop and are related to,personal data, namely:,A.Calling Up the Threema Shop;,B.Purchasing License Keys;,C.Retrieving License Keys;,D.Redeeming Promo Codes;,E.Downloading the Threema App;,F.Misuse Protection (hCaptcha).,Threema as the data controller is a limited liability company under Swiss,law with its registered office in Pfäffikon SZ (municipality of Freienbach),,Switzerland, and business identification number (hereinafter “UID”) CHE-,221.440.104.,When a Customer visits and interacts with the Threema Shop, personal,data is, unless otherwise stated in this Privacy Policy, processed and, if,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland,necessary, stored exclusively on Threema’s own servers in two “ISO,27001”-certified data centers located in Zurich, Switzerland (hereinafter,“Threema Servers”).,As a company with its registered office in Switzerland, Threema and the,data processing it carries out are subject to Swiss data protection law,(Federal Act on Data Protection of September 25, 2020, SR 235.1;,hereinafter “FADP”).
For data subjects residing in the territory of the EU,or the EEA (marked with “for EU/EEA”), European data protection law,(Regulation (EU) 2016/679 of April 27, 2016, General Data Protection,Regulation.
hereinafter “GDPR”) may additionally apply.,Personal data pursuant to Art.
5 lit.
a FADP [for EU/EEA: Art.
4 No.
1 GDPR],is information that relates to an identified or identifiable natural person.,B.
Controller,Threema GmbH,Churerstrasse 82,8808 Pfäffikon SZ,Switzerland,UID: CHE-221.440.104,C.
Data Protection Officer,Threema GmbH,Data Protection Officer,Churerstrasse 82,8808 Pfäffikon SZ,Switzerland,Email: privacy at threema dot ch,D.
Representative in the EU (Art.
27 GDPR),ACC Datenschutz UG,2,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,Messestrasse 6,94036 Passau,Germany,E.
Swiss Supervisory Authority,Federal Data Protection and Information Commissioner (FDPIC),Feldweg 1,3003 Bern,Switzerland,Telephone: +41 58 462 43 95,Contact form of the FDPIC: Link,2.
Processing Activities,Depending on the interaction when the Customer visits the Threema Shop,,Threemaprocessesdifferentcategoriesofpersonaldataaboutthe,Customer for different purposes, based on different legal bases and with,different storage periods, if any personal data is stored at all.,A.
Calling Up the Threema Shop,Processing,When the Threema Shop is called up, information, including personal data,,is automatically sent to the Threema Servers by the browser on the,Customer’s device, processed, and stored in a log file.,After processing the full IP address, normally only the first two digits of a,Customer’s IP address are stored in the log file, unless an error occurred,when calling up the Threema Shop.
In case of an error, the full IP address,is stored in the log file.,Categories of Processed Personal Data,When calling up the Threema Shop, the following personal data is,processed on the Threema Servers and stored in a log file:,IP address of the Customer.,3,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,Purpose,The aforementioned personal data is processed by Threema for the,following purposes:,Delivery of the Threema Shop in the Customer’s browser;,Information security.,Legal Basis,The processing and storage of IP addresses is technically necessary and,based on the overriding private interest (delivery of the Threema Shop to,the Customer.
information security) of Threema.
Art.
31 Sec.
2 lit.
a FADP,[for EU/EEA: Art.
6 Sec.
1 lit.
b GDPR].,Necessity,The processing of the IP address is technically necessary to deliver the,Threema Shop in the Customer’s browser, and to be able to analyze,potential technical errors for information security purposes.,Storage Period,The log file with the Customer’s IP address created when the Threema,Shop is called up is stored on the Threema Servers for 10 days, counting,from the creation date of the log file, and then automatically deleted.,B.
Purchasing License Keys,Processing,To purchase license keys for the Threema App in the Threema Shop,,Customers must go through an order process.
With the exception of the,Customer’s email address, the provision of all personal data in the,ordering process is voluntary and optional.
they are used to individualize,the Customer’s invoice, if the Customer so wishes.,Note: Several payment methods are available to the Customer, none of,which require the provision of personal data on the Threema Shop’s,website.
Payments by credit card (MasterCard and Visa) are processed,withDatatransAG,Kreuzbühlstrasse26,8008Zurich,Switzerland,(hereinafter “Datatrans”).
The Customer is redirected to Datatrans to,4,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,enter their payment information.
Customers can find more information on,data protection at Datatrans under this external link.
Payments via the,PayPal service are processed with PayPal (Europe) S.à.r.l.
et Cie, S.C.A.,,22-24 Boulevard Royal, 2449 Luxembourg, Grand Duchy of Luxembourg,(hereinafter “PayPal Europe”).
To enter their payment information, the,Customer is redirected to PayPal Europe.
Customers can find more,information on data protection at PayPal Europe under this external link.,After completing the order process, the license keys purchased by the,Customer will be delivered to the email address provided by the Customer.,After successful delivery, the Customer’s email address is converted into a,one-way encrypted hash value and stored on the Threema Servers linked,to the purchased license keys via an order number.,Categories of Processed Personal Data,When submitting an order for license keys, the following personal data is,processed and stored on the Threema Servers:,Email address (one-way encrypted);,Company (optional);,First name (optional);,Last name (optional);,Address (optional);,VAT number (optional).,To protect the Threema Shop from misuse, Threema uses a captcha from,the hCaptcha service (see Section 2.F.).,Purpose,The aforementioned personal data is processed by Threema for the,following purposes:,Contract performance.,Legal Basis,The processing of personal data of the Customer when purchasing license,keys is based on the overriding private interest (contract performance) of,Threema.
Art.
31 Sec.
2 lit.a FADP [for EU/EEA: Art.
6 Sec.
1 lit.
b GDPR].,Necessity,5,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,This data processing is necessary to perform contracts with Customers for,the purchase of license keys.,Storage Period,Theemailaddressprovidedwhenpurchasinglicensekeyswillbe,converted to a one-way encrypted hash value on the Threema Servers,after successful delivery of the license keys to the Customer, and stored,until revocation.,Thestorageoftheone-wayencryptedemailaddressenablesthe,Customer to recover their license keys, if necessary (see Section 2.C.).,The other personal data provided voluntarily and optionally by the,Customer is stored on the Threema Servers until revocation.,Note: Threema is subject to a statutory retention obligation of 10 years in,connection with accounting records and accounting vouchers, including,any personal data.
In addition, Threema reserves the right to retain all,data and documents required for the reconstruction of the contractual,relationship with a Customer, including any personal data, for the duration,of the ordinary period of limitations of 10 years.,C.
Retrieving License Keys,Processing,If a Customer forgets or loses their purchased license keys, they may,automatically restore them at any time via the Threema Shop’s website in,two ways.,As a data-saving option, Threema offers the Customer the possibility to,enter their invoice reference.
The Customer’s license keys are then,displayed directly in the Threema Shop.,Alternatively, the Customer may provide their email address with which,they purchased the license keys.
The email address provided is converted,into a one-way encrypted hash value and compared with the Customers’,hash values stored on the Threema Servers.,6,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,If the hash value of the Customer’s email address matches a hash value,stored on the Threema Servers, the corresponding license keys linked via,the order number are sent to the Customer’s provided email address.,Categories of Processed Personal Data,When retrieving license keys, the following personal data is processed on,the Threema Servers:,Email address (one-way encrypted).,To protect the Threema Shop from misuse, Threema uses a captcha from,the hCaptcha service (see Section 2.F.).,Purpose,The aforementioned personal data is processed by Threema for the,following purposes:,Contract performance.,Legal Basis,The processing of personal data of the Customer when retrieving license,keys is based on the overriding private interest (contract performance) of,Threema.
Art.
31 Sec.
2 lit.
a FADP [for EU/EEA: Art.
6 Sec.
1 lit.
b GDPR].,Necessity,This data processing is necessary to perform contracts with Customers on,the purchase of license keys.,Storage Period,Theemailaddressprovidedforretrievinglicensekeyswillbe,immediatelydeleted after successful delivery of the retrieved license,keys to the Customer, and is never permanently stored on the Threema,Servers.,The Customer’s one-way encrypted email address from the purchase of,their license keys remains stored on the Threema Servers (see Section,2.B.).,7,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,D.
Redeeming Promo Codes,Processing,In addition to purchasing license keys for a fee, Customers may redeem,promo codes.
To do so, the Customer must enter the promo code and their,email address in the Threema Shop.,After redeeming the promo code, the license key purchased by the,Customer will be delivered to the email address provided.,Categories of Processed Personal Data,When redeeming promo codes, the following personal data is processed,on the Threema Servers:,Email address.,To protect the Threema Shop from misuse, Threema uses a captcha from,the hCaptcha service (see Section 2.F.).,Purpose,The aforementioned personal data is processed by Threema for the,following purposes:,Contract performance.,Legal Basis,The processing of the Customer’s email address when redeeming promo,codes is based on the overriding private interest (contract performance) of,Threema.
Art.
31 Sec.
2 lit.
a FADP [for EU/EEA: Art.
6 Sec.
1 lit.
b GDPR].,Necessity,This data processing is necessary to perform contracts with Customers on,the purchase of license keys.,Storage Period,Theemailaddressprovidedforredeemingpromocodeswillbe,immediately deleted after successful delivery of the license key to the,Customer, and is never permanently stored in plain text on the Threema,Servers.,8,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,E.
Downloading the Threema App,Processing,To download the Threema App, the Customer must provide their license,key for a license check in the Threema Shop.
The license key provided by,the Customer is compared with valid license keys on the Threema Servers.,If the Customer’s license key matches a valid license key, the file of the,Threema App is released to the Customer for download.
,Categories of Processed Personal Data,When performing a license verification to download the Threema App, the,following personal data is processed on the Threema Servers:,License key.,To protect the Threema Shop from misuse, Threema uses a captcha from,the hCaptcha service (see Section 2.F.).,Purpose,The aforementioned personal data is processed by Threema for the,following purposes:,Contract performance.,Legal Basis,The processing of the Customer’s license key for license verification is,basedontheoverridingprivateinterest(contractperformance)of,Threema.
Art.
31 Sec.
2 lit.
a FADP [for EU/EEA: Art.
6 Sec.
1 lit.
b GDPR].,Necessity,This data processing is necessary to verify the Customer’s authorization to,download and use the Threema App.,Storage Period,The license key provided by the Customer will be immediately deleted,after the license verification and is not permanently stored on the,Threema Servers.,9,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,F.
Misuse Protection (hCaptcha),Processing,Inorder toprotect the ThreemaShopfrom misuse throughforms,submitted by machines, Threema uses the captcha of the “hCaptcha”,service for all forms used on the Threema Shop.,hCaptcha is a service of Intuition Machines, Inc., 350 Alabama St, San,Francisco, CA 94110, USA (hereinafter “Intuition Machines”).
hCaptcha,is “ISO 27001”-certified.
Customers can find more information on data,protection at Intuition Machines under this external link.,The USA as the registered office of Intuition Machines and the probable,place of data processing of the hCaptcha service is not included in the list,of states under Annex 1 to the DPO.
therefore, its legislation does not,ensure adequate data protection.
Art.
16 Sec.
1 FADP in connection with,Art.
8 Sec.
1 DPO.,For this reason, personal data disclosed to Intuition Machines is converted,to a one-way encrypted hash value on the Threema Servers before it is,disclosed.,Note: No personal data is disclosed to Intuition Machines.
identification of,Customers is thereby not possible.,Categories of Processed Personal Data,When solving a captcha, the following personal data is processed on the,Threema Servers and disclosed to Intuition Machines in pseudonymized,form:,IP address (one-way encrypted).,Purpose,The aforementioned personal data is processed by Threema and disclosed,to Intuition Machines in pseudonymized form for the following purposes:,Information security.,10,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,Legal Basis,The processingof IP addressesonthe ThreemaServersandtheir,disclosure to Intuition Machines in pseudonymized form is based on the,overriding private interest (misuse protection) of Threema.
Art.
31 Sec.
2,lit.
a FADP [for EU/EEA: Art.
6 Sec.
1 lit.
b GDPR].,Necessity,This data processing is necessary to prevent misuse through forms in the,Threema Shop submitted by machines.,Storage Period,After their pseudonymization and their disclosure to Intuition Machines in,pseudonymized form, the IP addresses of Customers areimmediately,deleted on the Threema Servers.,3.
Disclosure of Data to Third Parties,Principally, Threema does not disclose to third parties any personal data,that is transmitted by the Customer when visiting the Threema Shop and,that is then processed and stored on the Threema Servers.,Threema reserves the right to disclose personal data to third parties (e.g.,,lawyers) if it is necessary for the assertion, exercise, or defense of legal,claims by Threema.,4.
Collection of Data from Third Parties,Principally, Threema does not collect from third parties any personal data,that is transmitted by the Customer when visiting and interacting with the,Threema Shop and that is then processed and stored on the Threema,Servers.,5.
Data Security,Threema takes all necessary technical and organizational measures to,11,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,prevent unauthorized access and misuse of data of Customers of the,Threema Shop.
The security measures are continuously improved in line,with technological developments.,6.
Rights of the Customer,As data subjects, Customers of the Threema Shop can assert various,claims under data protection law against Threema.,In order to fulfil these claims, Threema may have to process personal data,of data subjects.
In particular, Threema must be able to identify the data,subject in order to ensure that the data subject rights are not exercised by,anyone other than the data subject and that no personal data is unlawfully,disclosed to third parties.
,Depending on the applicable law, data subjects may exercise the following,rights in relation to personal data against Threema:,Right to Information,Art.
25 and 26 FADP [for EU/EEA: Art.
15 GDPR],A data subject has the right to request information about their personal,data processed by Threema.,Right to Correction or Completion,Art.
32 Sec.
1 FADP [for EU/EEA: Art.
16 GDPR],A data subject has the right to request that Threema corrects inaccurate,or completes incomplete personal data without undue delay.,Right to Deletion,Art.
32 Abs.
2 FADP [for EU/EEA: Art.
17 GDPR],A data subject has the right to request that Threema deletes their personal,data without undue delay.
,Right to Withdrawal of Consent,only for data processing based onconsent.
Art.
30 Sec.
2 FADP [for,12,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,EU/EEA: Art.
7 Sec.
3 GDPR],A data subject has the right to withdraw their consent to the processing of,their personal data by Threema.
This has the consequence that Threema,may no longer continue the data processing based on this consent.
The,processing of the Visitor’s personal data by Threema up to this point in,time on the basis of the Visitor’s consent remains lawful.,Right to Objection,only for data processing based on legitimate interests.
Art.
30 Sec.
2,FADP [for EU/EEA: Art.
21 GDPR],A data subject has the right to object to the processing of their personal,data by Threema where such personal data is processed based on,Threema’s overriding private interests.
Art.
31 DSG [for EU/EEA: Art.
6 Sec.,1 lit.
f GDPR].,Right to Blocking,Art.
32 FADP [for EU/EEA: Art.
18 GDPR],For the protection of their personality, a data subject has the right to,request that Threema blocks the processing of their personal data.,Right to Data Transfer,Art.
28 and 29 FADP [for EU/EEA: Art.
20 GDPR],[only for data processing based on consent or a contract and with the,aid of automated procedures.
Art.
20 GDPR],A data subject has the right to receive the personal data they have,provided to Threema in a structured, commonly used, and machine-,readable format, provided that:,the processing is based on consent or on a contract.
and,the processing is carried out with the aid of automated procedures.,13,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland ,7.
Timeliness and Amendment of this ,Privacy Policy,Threema reserves the right to amend this Privacy Policy from time to time,in order to comply with changed legal requirements or to implement new,features in the Privacy Policy.
The current Privacy Policy is always linked,on the website of the Threema Shop.,14,Threema GmbH Churerstrasse 82 8808 Pfäffikon SZ Switzerland