Your To-Do List App Might Know More Than You Think

A to-do list app seems harmless enough—just tasks, reminders, maybe a grocery list. But think about what else goes in there: work deadlines, doctor appointments, travel plans, passwords you jot down, or even private notes. That data can reveal a lot about your daily life, your schedule, and the people you interact with.

When the New York Times’ Wirecutter published its 2026 roundup of the best to-do list apps, it focused on features, design, and usability—as you’d expect from a product review. What those reviews don’t usually highlight is how each app treats your privacy and security. That’s worth a closer look because the convenience of syncing across devices often comes with trade-offs in data control.

What Happened

Wirecutter’s top three picks for 2026 are the same apps that have dominated the category for several years: Things 3 (for Apple users), Todoist, and Microsoft To Do. Each has a solid reputation, but their approaches to data protection differ significantly.

  • Things 3 is a paid app with no cloud storage option—your data stays only on your device unless you enable iCloud sync. That means Apple handles the sync, not the app developer, so Things itself never sees your tasks. This is a strong privacy design, but it relies entirely on Apple’s iCloud security model. Things 3’s privacy policy states they collect no personal data and do not track usage.

  • Todoist stores your tasks on its own servers. It offers end-to-end encryption only on its business plan; the free and Pro tiers use encryption in transit (HTTPS) and at rest (AES-256) on its servers, meaning Todoist holds the encryption keys. The company has a transparent privacy policy and complies with GDPR and CCPA, but it has suffered a security incident before: in 2019, a breach exposed some user emails and passwords (hashed). Todoist quickly reset affected accounts, but the event shows that server-side storage is never risk-free.

  • Microsoft To Do is deeply integrated into the Microsoft ecosystem. It saves data to your Microsoft account, which means it’s subject to the same privacy policy as Outlook, OneDrive, and other services. Microsoft does not offer end-to-end encryption for To Do data at rest; tasks are encrypted while stored on their servers, but Microsoft can access them if needed (e.g., for legal requests or service improvements). The company has a strong track record on security certifications, but the lack of client-side encryption may be a dealbreaker for privacy-conscious users.

Why It Matters

Your to-do list is a behavioral diary. It shows what you value, when you work, and who you interact with. If an app collects metadata—like timestamps, tags, or location notes—it can build a profile of you. Three specific risks stand out:

  • Data breaches: Any server-side storage is a target. Even if passwords are hashed, the content of your tasks could be exposed if the encryption keys are compromised.
  • Third-party sharing: Some apps share aggregated or anonymized data with analytics providers. Todoist and Microsoft To Do both use third-party analytics; Things 3 does not.
  • Legal access: Without end-to-end encryption, companies can be compelled by governments to hand over your task data. Microsoft has a long history of complying with lawful requests, while Todoist has fought some requests but ultimately must comply with valid orders.

What Readers Can Do

You don’t need to abandon your favorite app. A few practical steps can tighten your security:

  1. Check the privacy policy for each app. Look for “data collection,” “third-party sharing,” and “encryption” sections. If the policy is vague, treat the app as untrustworthy for sensitive data.
  2. Enable two-factor authentication on your account, especially for Todoist and Microsoft To Do. This adds a layer of protection even if your password is stolen.
  3. Avoid storing sensitive information in task descriptions or notes. Use a dedicated password manager for credentials, not a to-do app.
  4. Use local-only apps for personal tasks. Things 3 (without iCloud) or plain text files can keep your data off the cloud entirely.
  5. Review app permissions on your phone. A to-do app doesn’t need access to your contacts, camera, or location unless you explicitly use those features.

Sources

  • Wirecutter, “The 3 Best To-Do List Apps of 2026,” The New York Times, December 2025.
  • Todoist Privacy Policy (accessed April 2026).
  • Microsoft To Do Privacy FAQ (accessed April 2026).
  • Things 3 Privacy Policy (accessed April 2026).
  • Todoist 2019 security incident report (Todoist blog, January 2020).

Note: The Wirecutter article is behind a paywall; the summary above is based on public information about the apps’ features and the general methodology of Wirecutter reviews. For the most current details, check the apps’ own websites and the latest version of the review.