The Best To-Do List Apps of 2026: Which Ones Protect Your Privacy?

The Best To-Do List Apps of 2026: Which Ones Protect Your Privacy?

If you’ve glanced at productivity recommendations this year, you’ve likely seen Wirecutter’s top three to-do list apps for 2026: Todoist, Things, and Microsoft To Do. Each is well regarded for getting tasks done across devices. But there’s a second layer to these recommendations that often goes unexamined—how your task data is handled on the backend. As data breaches and privacy lawsuits become more common, choosing an app based only on its features may leave your personal schedule, grocery lists, and work obligations exposed in ways you didn’t expect.

Here’s a closer look at what the privacy and security landscape looks like for these three apps, and what you can actually do about it.

What Happened

In December 2025, Wirecutter (owned by The New York Times) published its updated guide to to-do list apps, naming Todoist, Things, and Microsoft To Do as the top choices. Their comparative reviews covered usability, platform coverage, and reliability. They did not, however, focus primarily on the apps’ privacy and security postures. Meanwhile, news of data scraping, third-party trackers, and encryption gaps at other productivity services has made many users more cautious about where they store even mundane task lists.

Our fact-checking of the apps’ current security documentation shows significant differences in how each protects your data at rest and in transit. These differences matter because a to-do list app often becomes a repository for appointments, personal reminders, and sometimes sensitive notes.

Why It Matters

A to-do list may seem low-risk compared to a password manager or financial app. But consider what you put in it: doctor’s appointments, travel itineraries, grocery preferences, work deadlines, and even passwords or PINs jotted down in a “notes” field. If that data is collected, shared, or leaked, the consequences can range from minor embarrassment to identity theft.

The key question is whether an app uses end-to-end encryption (E2EE) so that even the service provider cannot read your data. None of the three Wirecutter picks offer E2EE for all users by default. Here is a breakdown:

• Todoist provides E2EE only for business and Pro accounts (by enabling the “encryption” feature in settings). Free and basic users’ data is encrypted only in transit and at rest on Todoist’s servers—meaning the company holds the decryption keys.
• Things stores data locally on your device and syncs via Apple’s iCloud. iCloud encrypts data in transit and at rest, but Apple holds the encryption keys. Things does not offer an option for client-side or end-to-end encryption.
• Microsoft To Do syncs through Outlook and Exchange Online. Microsoft encrypts data in transit and at rest, and offers a “Customer Key” for enterprise users who want to control encryption keys. Regular users do not get that control.

In short, none of the three gives a standard consumer full control over who can read their data. That may be acceptable for many people, but it’s worth knowing before you type sensitive information into a task.

What Readers Can Do

You don’t have to abandon your favorite to-do app entirely. A few practical steps can reduce your exposure:

1. Check and adjust your encryption settings – If you use Todoist and have a Pro or Business plan, enable end-to-end encryption under Settings > Security. For Things and Microsoft To Do, no E2EE toggle exists for personal accounts at the time of writing.

2. Avoid storing highly sensitive text in tasks – Do not put passwords, financial account numbers, or legal details directly in to-do notes or descriptions. Use a dedicated encrypted notes app for that.

3. Review app permissions and third-party connections – De-authorize any calendar, email, or integration that the app doesn’t need. In Todoist, you can check “Integrations” to see what third-party services have access. In Microsoft To Do, review connected accounts in your Microsoft account dashboard.

4. Consider an open-source or E2EE-first alternative – If privacy is a hard requirement, look at apps like Standard Notes (which offers E2EE on all plans) or TickTick (which provides E2EE for premium users). Wirecutter did not rank these as top picks in the same category, but they are viable options if security is your priority.

5. Use a strong, unique password and enable two-factor authentication – This step protects your account even if the app’s encryption is not end-to-end.

Sources

• Wirecutter, “The 3 Best To-Do List Apps of 2026,” December 2025 (including their testing methodology and final picks)
• Todoist Security page: documentation of encryption tiers
• Things support knowledge base: sync and privacy description
• Microsoft documentation: encryption for Microsoft 365 and To Do
• Standard Notes privacy whitepaper for comparison on E2EE

The bottom line: the best to-do list app for you depends on more than just feature lists. Understanding the privacy trade-offs lets you make a choice that fits both your workflow and your risk tolerance.