How to Choose a To-Do List App That Keeps Your Tasks Private

Your to-do list probably contains more sensitive information than you think — project deadlines, personal goals, medical appointments, financial tasks, even passwords saved as notes. Yet most people give little thought to how these apps handle that data. The convenience of syncing across devices often comes with a trade-off: your task list may be visible to the app company, its advertisers, or worse, a data breach.

Wirecutter published its updated review of the best to-do list apps in early 2026, testing dozens for usability, features, and reliability. Their top three picks are Todoist, Things (macOS and iOS), and Microsoft To Do. Each is well designed and capable, but from a privacy standpoint they are not equal.

What happened

Wirecutter’s 2026 review, which built on years of testing, named Todoist as the best overall to-do app for most people, citing its cross‑platform support, natural language input, and collaboration features. Things received the nod for Apple users who want a polished, locally‑focused experience. Microsoft To Do was recommended for people already deep in the Microsoft ecosystem, thanks to its tight integration with Outlook and Office 365.

The review focused primarily on productivity: task management, reminders, project views, and speed. Privacy and data security were not major scoring factors. That is not a criticism — Wirecutter’s mission is to find the most useful tool. But for readers who care about where their task data ends up, it is worth looking under the hood.

Why it matters

Task lists often contain a running record of your life. A to‑do app may know when you wake up, what health goals you have, which bills you need to pay, and what you are working on for your employer. If that data is stored in the clear on a server, it can be read by the company, shared with third parties for analytics or advertising, or exposed in a breach.

Among the three Wirecutter picks:

  • Todoist uses TLS encryption in transit, but data at rest is not end‑to‑end encrypted. The company states it does not sell personal data, but it does use aggregated data for product improvement. Tasks are stored on Todoist’s servers and can be accessed by the company. There is no option for zero‑knowledge encryption.

  • Things is a different case. It stores tasks locally on your device by default, with optional sync via Things’ own cloud service (which uses encryption but is not zero‑knowledge either). Because it is Apple‑only and syncs through the developer’s servers, it is more contained, but still not fully private against the developer.

  • Microsoft To Do uses enterprise‑grade security (TLS, encryption at rest) and is subject to Microsoft’s corporate privacy policy, which generally does not mine user content for ads. However, it is deeply integrated into the Microsoft 365 environment, and users must trust Microsoft’s data handling. The service is not end‑to‑end encrypted.

No mainstream to‑do app among Wirecutter’s top picks offers true end‑to‑end encryption out of the box. That means the app provider has the technical ability to read your task data if they choose, or if compelled by law.

What readers can do

You do not have to sacrifice productivity for privacy. Here are practical steps to choose and secure a to‑do list app that respects your data.

1. Check the encryption model. Look for apps that advertise “end‑to‑end encryption” or “zero‑knowledge architecture.” Apps like Standard Notes (which also handles tasks) and some niche options offer this. For sensitive tasks, consider using a notes app with strong encryption instead of a dedicated to‑do app.

2. Read the privacy policy with a critical eye. Look for clear statements about data collection, sharing with third parties, and whether the company uses your task content for anything beyond providing the service. If the policy mentions “de‑identified” data for “analytics,” understand that de‑identification can sometimes be reversed.

3. Enable two‑factor authentication. This protects your account even if your password is compromised. All three Wirecutter picks support 2FA, though Microsoft To Do requires it through your Microsoft account settings.

4. Limit what you put in the app. Avoid storing passwords, Social Security numbers, full financial account details, or other highly sensitive information in any cloud‑synced to‑do list. Use a dedicated password manager or encrypted notes app for that.

5. Consider offline or paper systems. If your privacy needs are extreme, the most secure to‑do list is one that never touches the internet. A paper notebook, a plain text file on an encrypted drive, or an offline‑only app (like Things with sync turned off) can be effective. Wirecutter also reviewed a paper to‑do system in 2025 that cuts through digital distractions — useful for both focus and privacy.

6. Review app permissions. On your phone, check what the to‑do app can access (contacts, location, camera). Deny any permission that isn’t strictly needed for the app to function.

Sources

  • Wirecutter, “The 3 Best To‑Do List Apps of 2026,” December 2025 (updated 2026). nytimes.com/wirecutter
  • Wirecutter, “This Paper To‑Do System Cuts Through Digital Distractions So You Can Focus on Your Most Important Tasks,” September 2025.
  • Privacy policies of Todoist, Things (Cultured Code), and Microsoft To Do (Microsoft Privacy Statement).

Choosing a to‑do app is about more than features. By asking a few questions about how your data is handled, you can stay productive without giving up control over your private tasks.