The Best To-Do List Apps of 2026 That Also Protect Your Privacy

Wirecutter’s latest roundup of the best to-do list apps for 2026 names three clear winners: Things 3, Todoist, and Microsoft To Do. All three are polished, reliable, and widely used. But if you care about where your task data ends up, the choice is less straightforward. Not all of them treat your privacy the same way.

Here’s a look at what each app does with your information and what to consider if you want a to-do list that doesn’t trade your privacy for convenience.

What Happened

In December 2025, The New York Times’ Wirecutter published its annual review of to-do list apps, testing dozens of options for usability, cross-platform support, and features. Their three top picks for 2026 are:

  • Things 3 (best for Apple users)
  • Todoist (best for cross-platform flexibility)
  • Microsoft To Do (best for those already in the Microsoft ecosystem)

The reviews are thorough and useful for anyone choosing a task manager based on function. But Wirecutter’s evaluation does not dive deeply into data privacy or security—those factors are not part of their scoring criteria. That leaves a gap for readers who want to know what happens to their tasks, notes, and deadlines behind the scenes.

Why It Matters

To-do list apps often contain sensitive information: work projects, personal errands, health reminders, financial tasks, even passwords written in notes. If that data is stored on a company’s servers without strong encryption, it could be accessed by the provider, shared with third parties, or exposed in a breach.

Data breaches affecting productivity tools are not hypothetical. In 2023, Todoist confirmed a security incident involving unauthorized access to user accounts. Microsoft has also faced scrutiny over its data collection practices. And while Apple generally emphasizes privacy, Things 3’s optional iCloud sync depends on Apple’s cloud infrastructure, which is encrypted but still within Apple’s control.

Each of the three top apps has a different privacy profile:

  • Things 3 stores tasks locally on your device by default. If you enable iCloud sync, data is encrypted in transit and at rest, but Apple holds the encryption keys for iCloud backups. For most users, this is a reasonable compromise, but it is not fully end-to-end encrypted in the same way that, say, Signal messages are.

  • Todoist offers end-to-end encryption only for business subscribers on the Pro plan. Free and regular users’ data is encrypted in transit and at rest on Todoist servers, but the company can theoretically access your tasks. Todoist’s privacy policy also states they may share aggregated, non-personal data, and they use third-party services for analytics and customer support.

  • Microsoft To Do syncs via Microsoft’s servers and is subject to the Microsoft Services Agreement. Data is encrypted in transit and at rest, but Microsoft can access it for legitimate business purposes (such as improving the product or responding to legal requests). For users already invested in Office 365, the convenience is high, but the privacy trade-off is real.

What Readers Can Do

If privacy is a priority, you do not have to abandon these apps entirely. Here are practical steps to reduce exposure:

Choose Things 3 if you use Apple devices and do not need cross-platform access. Keep sync off or use iCloud only if you trust Apple’s policies. Since data lives locally, no third party touches your tasks unless you deliberately sync.

Use Todoist with caution for sensitive information. Avoid putting passwords, financial details, or personal data in task notes. If your organization pays for Todoist Business, you can enable end-to-end encryption, but verify that it covers your account.

Microsoft To Do is fine for low-stakes tasks. Because Microsoft’s business model relies on data analytics, treat this app as you would any free consumer service: do not store anything you would not want a stranger to read.

For maximum privacy, consider open-source alternatives. Taskwarrior (terminal-based) and Vikunja (self-hosted web app) give you full control. They are less polished but offer true data ownership. Vikunja can be self-hosted with end-to-end encryption if configured properly. These options require more technical effort but are worth it for anyone who needs absolute confidentiality.

Enable two-factor authentication on any to-do list account that supports it. This prevents unauthorized access even if your password is compromised.

Review app permissions on your phone. Many to-do apps request access to contacts, calendar, or notifications unnecessarily. Deny what does not relate to core functionality.

Sources

  • The New York Times Wirecutter: “The 3 Best To-Do List Apps of 2026” (published December 10, 2025)
  • Todoist privacy policy and security documentation (accessed April 2026)
  • Microsoft Services Agreement and privacy statement (accessed April 2026)
  • Apple iCloud security overview (Apple Support, 2025)
  • Todoist security incident report (2023) – confirmed by Todoist blog

Choosing a to-do list app is ultimately about what you accept in exchange for convenience. The three Wirecutter picks are excellent tools, but each carries a different privacy footprint. By knowing how they handle your data, you can make an informed decision—and keep your task list private, not just organized.