The Privacy Trade-Offs in 2026’s Best To-Do List Apps
Wirecutter’s annual roundup of the best to-do list apps for 2026 highlights three standout contenders—Todoist, Things 3, and Microsoft To Do. Each excels at keeping you organized, but if you’re concerned about how your task data is stored, shared, or sold, you’ll want to look beyond features and design.
Data privacy isn’t just a niche worry anymore. Task lists often contain personal commitments, work deadlines, health reminders, and even passwords or sensitive notes. Many apps sync across devices and store your data on cloud servers, making it worth understanding exactly what each service collects and what protections are in place.
Below, we break down the privacy practices for each of Wirecutter’s top picks. Policies change, so consider this a snapshot based on their current terms (as of early 2026).
What Happened: Wirecutter’s 2026 Picks
Wirecutter’s December 2025 review named Todoist as the best overall to-do app, Things 3 as the best for Apple users, and Microsoft To Do as the best for Windows and Office power users. All three are polished and widely used, but they take different approaches to user data.
- Todoist (by Doist) runs on a freemium model, stores tasks on its servers, and relies on advertising only in its free tier.
- Things 3 (by Cultured Code) is a paid app with no cloud of its own—it syncs through Apple’s iCloud.
- Microsoft To Do (part of the Microsoft 365 ecosystem) syncs via your Microsoft account and is integrated into the company’s broader advertising and AI services.
Why It Matters: The Privacy Breakdown
Todoist
Todoist collects account information (name, email), task content, and usage analytics. According to its privacy policy, the company uses encryption in transit and at rest, but does not offer end-to-end encryption for task data. That means Doist could technically read your tasks, and they may share anonymized data with third-party analytics providers. In 2023, they introduced a “snapshot” feature that stores task versions for up to 90 days. The free plan shows ads, which likely involve some level of profiling, although Doist says they do not sell personal data.
What this means for you: Your task content isn’t fully private from the company. If you’re storing passwords or sensitive plans, treat Todoist as a semi-public notepad.
Things 3
Things 3 uses iCloud to sync, which means Cultured Code itself never sees your task data. Apple handles the synchronization with end-to-end encryption enabled by default for iCloud Data (including app data). Things 3’s privacy policy states they collect minimal analytics (crash reports, usage stats) but no task content.
Caveat: Your privacy depends on Apple’s iCloud policies. If you trust Apple not to read your data, Things 3 is the most private option here. However, it’s only available on Apple devices and costs a one-time purchase ($49.99 per platform).
Microsoft To Do
Microsoft To Do collects task data and ties it to your Microsoft account. The company uses this data to improve its services and may share aggregated or anonymized data with advertisers (if you’re on a free account). Microsoft’s privacy policy is extensive, but it explicitly states they may process user content, including tasks, for “essential” services and to “develop and improve” their products. There is no end-to-end encryption for task content in Microsoft To Do.
What this means for you: If you use Microsoft To Do, assume your tasks are part of Microsoft’s data ecosystem. This may be acceptable if you’re already in that ecosystem, but those seeking strong privacy will want to look elsewhere.
Feature Comparison: Security at a Glance
| Feature | Todoist | Things 3 | Microsoft To Do |
|---|---|---|---|
| End-to-end encryption | No | Yes (via iCloud) | No |
| Encryption in transit | Yes | Yes | Yes |
| Encryption at rest | Yes | Yes (iCloud) | Yes |
| Option to self-host / offline | Partial (offline mode) | Yes (full offline) | Partial (offline sync) |
| Analytics / tracking | Moderate | Minimal | Extensive |
| Third-party sharing | Aggregated only | None | Yes (with advertisers on free tier) |
| Cost | Free / Premium $4/mo | $49.99 per platform | Free |
| Platform | All major | Apple only | All major |
What Readers Can Do: Choosing Based on Privacy
Your choice comes down to two factors: how much you share with the app maker, and on which devices you need to work.
For maximum privacy: Things 3 is the clear winner, provided you’re an Apple user. Its use of iCloud with end-to-end encryption means Cultured Code never sees your data. The trade-off is cost and platform lock-in.
For a balanced middle ground: Todoist gives you cross‑platform access and reasonable privacy practices, but avoid storing anything sensitive unless you use their “encrypted note” feature (which is a separate, client‑side encryption option not applied to regular tasks). Turn off analytics in settings.
If you’re tied to Microsoft: Use Microsoft To Do but treat it as a public tool. Do not store passwords, health info, or any other sensitive content. Consider an app like Standard Notes or a password manager for those items instead.
A practical step for any app: Review the app’s privacy policy directly every few months. Policies change, and new features (like AI assistants) may add data collection.
Sources
- Wirecutter: “The 3 Best To-Do List Apps of 2026” (The New York Times, December 2025)
- Todoist Privacy Policy (doist.com/privacy)
- Cultured Code (Things) Privacy Policy (culturedcode.com/privacy)
- Microsoft Privacy Statement (privacy.microsoft.com)
Note: This analysis reflects policies as of early 2026. App privacy settings and encryption features may have changed since publication.