The Best To-Do List Apps of 2026: A Privacy-Focused Guide

Wirecutter, the product review site from The New York Times, recently published The 3 Best To-Do List Apps of 2026. Their picks—Things 3, Todoist, and Microsoft To Do—are solid for getting things done. But if you care about where your task data lives and who might be looking at it, the choice isn’t quite that simple.

Most of us dump a lot into these apps: work deadlines, personal reminders, grocery lists, even sensitive project details. After several high-profile data breaches in 2025 and growing awareness of how app companies monetise user information, it’s worth asking: how much privacy are you trading for convenience?

What Happened: Wirecutter’s Top Three

Wirecutter’s methodology focuses on usability, cross-platform support, and reliability. Their 2026 picks are:

  • Things 3 (Apple-only, one-time purchase)
  • Todoist (cross-platform, freemium subscription)
  • Microsoft To Do (free, integrated with Microsoft 365)

Each app excels at task management. But their privacy postures differ significantly.

Why It Matters: What’s at Stake

To-do list apps can see a surprising amount of personal data. Beyond task titles, many store notes, due dates, recurring patterns, and sometimes location or collaboration history. If a company uses this data for advertising, profiling, or shares it with third parties, you lose control over information that could be used to infer your habits, routines, and even your health or financial status.

Recent breaches (like the 2025 incident affecting a popular note-taking service) show that even non-financial data can be exploited in phishing campaigns or stalking scenarios. For people who mix personal and work tasks in one app, the risk multiplies.

Privacy Analysis of Each App

I’ve reviewed each app’s public privacy policy and technical documentation (as of early 2026). Here’s what stands out:

Things 3 (by Cultured Code) stores tasks locally on your device. Syncing happens through iCloud or the app’s own CloudKit-based sync. The company says it does not collect usage data or track you. They earn money through direct purchases, not ads or data sales. This makes Things 3 the strongest option if privacy is your top priority. The trade-off: it’s Apple-only and costs $10–$50 depending on platform version.

Todoist (by Doist) uses cloud storage. Their privacy policy states they do not sell personal data. They collect task content, email, and usage logs for service improvement. Tasks are encrypted in transit but not end-to-end encrypted (Todoist can technically read your task data). They offer two-factor authentication and are GDPR compliant. For most users, Todoist’s data handling is reasonable, but be aware that your task text is visible to the company.

Microsoft To Do is part of the Microsoft ecosystem. Like other Microsoft consumer services, data may be used to personalise ads and improve products unless you opt out via account settings. Your tasks are stored in Exchange Online and are subject to Microsoft’s privacy policy. There is no end-to-end encryption. If you already use Microsoft 365 and trust that ecosystem, the additional exposure is minimal. If not, know that your task data is part of a large advertising network.

What Readers Can Do: Practical Steps

  1. Check the policy yourself. Privacy policies change. Visit each app’s official site and look for sections on data sharing, third-party access, and encryption.

  2. Consider the “eye test.” If an app is free and doesn’t charge you, you are likely the product. Microsoft To Do is free because it supports the broader Microsoft ad business. Todoist charges for premium features but still has a free tier. Things 3 has no free version.

  3. Turn off optional sharing. In Todoist and Microsoft To Do, disable settings that allow the app to send anonymous usage data or crash reports.

  4. Limit cross-account connections. Don’t link your to-do app to Google Calendar or Slack unless you trust both sides with the information flow.

  5. For maximum control, go local. If you don’t need sync across devices, many offline apps like GoodTask (iOS) or plain text files (using Markdown) exist.

Alternative Privacy-Focused Apps

If none of the three meet your privacy bar, consider:

  • TickTick – Similar to Todoist but with end-to-end encryption available on the premium tier (check current policy).
  • Tasks.org – Open-source, integrates with Google Tasks or CalDAV. You control where data is stored.
  • Vikunja – Self-hostable, open-source, gives you full server control. Requires technical setup.

Sources

  • Wirecutter, “The 3 Best To-Do List Apps of 2026,” The New York Times, December 2025.
  • Cultured Code (Things 3) Privacy Policy, accessed April 2026.
  • Doist (Todoist) Privacy Policy, accessed April 2026.
  • Microsoft Privacy Statement, accessed April 2026.

Bottom Line

Wirecutter’s picks are well-researched for productivity. But privacy preferences are personal. If you’re using a free cloud-based app and haven’t checked the fine print, now is a good time. A single to-do list probably isn’t your most sensitive data, but it’s a window into your daily life that you may not have locked.