How to Pick a To-Do List App That Respects Your Privacy (2026 Guide)

How to Pick a To-Do List App That Respects Your Privacy (2026 Guide)

Every year, Wirecutter publishes a roundup of the best to-do list apps, testing features, reliability, and design. The 2026 edition (published December 2025) names three winners that balance ease of use with cross-platform support. But if you’re someone who worries about who can see your tasks—and all the sensitive details they often contain—those reviews leave an important question unasked: How private is this app?

Your to-do list may hold work projects, personal goals, medical appointments, or reminders about bills. That data can reveal a lot about your habits, location, and even your health. Not every app treats it with the same care. This guide helps you choose an app that keeps your tasks to yourself, without giving up the convenience you need.

What happened

Wirecutter’s latest tests (December 2025) concluded that three apps stand out for most people: Todoist, Microsoft To Do, and Things 3 (the last one only on Apple devices). The review focused on features like natural-language input, project organization, and cross-platform syncing. It did not make privacy a primary criterion, which is typical for productivity app reviews.

Since then, the privacy landscape has shifted. Data breaches continue to make headlines, and app makers have been pressured to clarify how they handle customer information. For to-do apps, the key issues are not always obvious from the feature lists.

Why it matters

A to-do list app often knows more about you than you might think. At a minimum, it stores the text of your tasks. But many apps also collect:

• Time and location data – when and where you created or completed a task.
• Collaboration metadata – who you share tasks with and how often.
• Usage patterns – how you interact with the app, which features you use, and for how long.

This data can be used for product improvement, marketing, or sold to third parties. Even if an app doesn’t sell data, a server breach could expose your entire list. In 2024, several productivity apps suffered breaches that leaked user task content and personal information. The risk is not theoretical.

Privacy policies vary widely. Some apps store your tasks encrypted on their servers but hold the decryption keys; others keep everything in plaintext on the cloud. A few offer end-to-end encryption (E2EE) where only you can read your data. And a handful let you store everything locally, with no cloud at all.

For everyday users, the most important question is: Can the company read your tasks? If the answer is yes, your data is only as safe as the company’s security practices and business model.

What readers can do

You do not need to give up modern to-do list features to protect your privacy. Here are concrete steps based on current app offerings.

1. Check the privacy policy for “zero-knowledge” or E2EE claims.

• Todoist uses encryption at rest and in transit, but it holds the encryption keys. This means Todoist employees can (in theory) access your task data. The company says it does not, but the technical possibility exists.
• Microsoft To Do stores tasks in Exchange Online, which is encrypted at rest. However, Microsoft has access to the encryption keys as part of its enterprise cloud services.
• Things 3 is a local-only app. Your tasks live on your iPhone, iPad, or Mac. Sync (via Things Cloud) uses end-to-end encryption—only your devices can decrypt the data. This is the gold standard among the three Wirecutter picks.

2. Look for local or offline-first options.
Apps like Things 3, Obsidian (with a plugin for tasks), and NotePlan keep your data on your device. Sync is optional and can be E2EE. If you don’t need collaboration or web access, these are the safest bets.

3. Review permission and data-sharing settings.

• Turn off location tracking and sync only over Wi-Fi.
• Disable analytics or usage sharing in the app’s settings menu.
• If the app offers a “privacy dashboard,” use it to review what data has been collected.

4. Consider the business model.
Free-to-download apps often monetize by selling aggregated data or by integrating advertising. Paid apps (especially those with a one-time purchase, like Things) are less likely to treat your data as a product.

5. Use a password manager for task content you want to keep confidential.
If you must use a cloud-synced app for project management but have very sensitive tasks (e.g., login codes, financial reminders), store only a vague reference in the app and keep the details in an encrypted note inside a password manager.

Afterword on the Wirecutter picks

Wirecutter’s 2026 article is a solid starting point for choosing a to-do list app based on usability. But for privacy-conscious users, Things 3 is the clear winner among the three because of its local-first design and E2EE sync. If you use Windows or Android, you will need to look beyond the Wirecutter list. Alternatives like TickTick (which offers a local-only mode) or Apprise (a newer E2EE to-do app) deserve a look, though neither has been reviewed by Wirecutter as of this writing.

Sources

• “The 3 Best To-Do List Apps of 2026 | Reviews by Wirecutter” – The New York Times, December 10, 2025.
• Official privacy policies for Todoist, Microsoft To Do, and Things 3 (accessed May 2026).
• KrebsOnSecurity (2024) – reports on productivity app breaches.
• Electronic Frontier Foundation – “How to Read a Privacy Policy” guide.

Note: App privacy practices can change. Verify the current policy and encryption technical documentation before committing to any service.