The Best To-Do List Apps of 2026 – But Which One Protects Your Privacy?

A to-do list app stores the details of your daily life: work deadlines, medical appointments, personal goals, even passwords if you write them down. When you sync that list across devices, your data travels through someone else’s servers. In 2026, with data breaches making headlines regularly, it’s reasonable to ask whether the convenience of a to-do list app is worth the privacy risk.

Wirecutter, the product review arm of The New York Times, recently updated its guide to the best to-do list apps. Their top picks for 2026 are Todoist, Things, and Microsoft To Do. These apps are well-regarded for features and reliability, but their privacy practices vary significantly. Below is a look at what each app does with your data and what you can do about it.

What happened

Wirecutter’s 2026 review evaluated dozens of apps based on design, cross-platform support, and collaboration features. Their top three – Todoist, Things, and Microsoft To Do – are the same apps that have dominated recommendation lists for years, though each has seen updates. The original article does not focus on privacy, but that’s where this analysis picks up.

Why it matters

Your to-do list often contains sensitive information: travel plans, health reminders, project milestones, and contact details. If an app collects this data for advertising or analytics, it becomes part of a broader digital profile that could be sold or leaked. Even metadata – like the frequency and timing of your tasks – can reveal patterns about your life.

Here is how the three Wirecutter picks handle data, based on their current privacy policies and security documentation.

Todoist (Doist) offers end-to-end encryption, but only on its paid Pro or Business plans. The free tier syncs data via Todoist’s servers with encryption in transit (TLS) and at rest, but Todoist holds the decryption keys. The company states it does not sell personal data and uses it only to provide the service, but it does collect usage analytics. If you need true end-to-end encryption, you’ll need to subscribe. For casual use, the free version may be acceptable, but your tasks are readable by Todoist.

Things (Cultured Code) takes a different approach. It is an Apple-only app, and it stores your data locally on each device. Sync between devices uses iCloud, which is encrypted in transit and at rest by Apple. However, standard iCloud encryption means Apple retains the ability to decrypt your data unless you enable Advanced Data Protection (which gives you end-to-end encryption for iCloud). Cultured Code itself does not see your tasks because it does not operate its own servers. This makes Things arguably the most privacy-friendly of the three – provided you trust Apple and use Advanced Data Protection. The downside: no web or Android access.

Microsoft To Do is part of the Microsoft 365 ecosystem. It syncs through your Microsoft account, and your data is subject to Microsoft’s privacy policy, which allows data collection for personalizing ads (though you can opt out of personalized ads). Microsoft uses encryption in transit and at rest, and for business accounts, it offers additional compliance controls. For personal use, Microsoft To Do is the least private option because its business model relies on advertising and user data analytics. If you are already using Microsoft 365, you may find it convenient, but be aware that your task list contributes to your advertising profile.

What readers can do

If privacy is a priority, here are concrete steps.

  • Choose your app accordingly: Things (with Advanced Data Protection enabled) gives you local storage and end-to-end iCloud encryption. Todoist Pro provides end-to-end encryption as part of the subscription. Microsoft To Do is best avoided if you are uncomfortable with Microsoft’s data practices, but if you must use it, go to your Microsoft account privacy dashboard and turn off “Personalized ads” and review activity history.

  • Enable encryption features: For Todoist, upgrade to Pro or Business and enable end-to-end encryption in settings. For Things, ensure you are using Advanced Data Protection for iCloud (requires iOS 16.2 or later and all devices updated). For Microsoft To Do, there is no end-to-end encryption option for personal accounts – you are relying on Microsoft’s internal security.

  • Limit what you store in tasks: Avoid writing full passwords, Social Security numbers, or other high-sensitivity data in any cloud-synced to-do app. Use a dedicated password manager or encrypted notes instead.

  • Review app permissions and sync settings: On your phone, check which apps have access to your to-do list data via sharing extensions or integrations. If you don’t need cross-platform sync, consider using a single-device app or a self-hosted solution like Vikunja.

  • Stay informed: Privacy policies change. Bookmark each app’s privacy page and review it once a year. The Wirecutter article itself is a good starting point for feature comparisons, but follow up with each developer’s security documentation.

No to-do app is perfectly private, but with a little effort you can pick one that matches your risk tolerance. For most people, Things with Advanced Data Protection strikes the best balance between usability and control. If you need cross-platform access, Todoist Pro is the better choice. And if you value convenience above all and trust Microsoft, Microsoft To Do works fine – just be aware of what you’re trading.

Sources

  • Wirecutter, “The 3 Best To-Do List Apps of 2026,” The New York Times, December 2025.
  • Todoist Security and Privacy Policy (doist.com).
  • Cultured Code Privacy Policy (culturedcode.com).
  • Microsoft Privacy Statement (microsoft.com/privacy).
  • Apple iCloud Security Overview (support.apple.com).