Which To-Do List App Is Actually Private? Our 2026 Picks

Every year, The New York Times’s Wirecutter team updates its guide to the best to-do list apps. The 2026 edition landed in December 2025, and it’s a solid starting point if you want something that just works. But Wirecutter’s top picks are chosen for overall usefulness, speed, and features—not for privacy. If you’re the kind of person who thinks twice before handing over your daily schedule, project notes, and recurring tasks to a company, those recommendations may not be enough.

Here’s what happened, why it matters, and which apps you should actually consider if keeping your task data private is a priority.

What Happened

In December 2025, Wirecutter published its latest roundup: “The 3 Best To-Do List Apps of 2026.” The winning apps were chosen after weeks of testing across different devices and use cases. Their top picks this year included Things 3 (best for Apple users), Todoist (best cross-platform), and Microsoft To Do (best for people already in the Microsoft ecosystem). All three are well-built and widely used.

However, Wirecutter’s methodology focuses on design, reliability, and features like natural language input and smart lists. Privacy and data-handling practices were not a primary filter. That doesn’t mean the picks are bad—it means they weren’t evaluated with your threat model in mind.

Why It Matters

To-do list apps often have access to surprisingly sensitive information. They know what you need to do, when you do it, how often you procrastinate, and sometimes even where you are when you check off an item. That data can be used to profile you, serve targeted ads, or train machine learning models—depending on the app’s privacy policy.

Todoist, for example, used to store task data on servers in the United States and allowed third-party integrations that could process your data. As of early 2026, Todoist has improved its transparency and offers end-to-end encryption for team projects, but the free tier still relies on data processing for some features. Microsoft To Do, on the other hand, is tightly integrated with Microsoft 365, and while Microsoft has strong enterprise security certifications, its consumer services often feed into the company’s broader advertising ecosystem. Things 3 is a bright spot: it stores everything locally on your device and syncs only via Apple’s iCloud (which is encrypted), so the developer never sees your data.

The bottom line is that you can’t assume a popular app respects your privacy just because it’s well-reviewed. The 2026 Wirecutter guide is a great place to start, but you need to ask a few more questions before downloading.

What Readers Can Do

Here are three concrete steps to choose a to-do list app that doesn’t sell or misuse your data.

1. Look for Local Storage or End-to-End Encryption

Apps that keep your tasks on your own device—or sync them only through an encrypted channel—are much harder for the developer to monetize. Things 3 for Apple devices is the clearest example: data stays in iCloud, and the developer (Cultured Code) cannot read it. On Android and Windows, TickTick offers an optional end-to-end encryption mode that covers task notes and lists, though not all metadata is encrypted.

If you need team collaboration, Trello (owned by Atlassian) and Notion are popular, but both have been scrutinized for data access. Notion, for instance, staff can theoretically see your workspace content unless you use its private workspace mode with a personal account—and even then, it’s not zero-access encrypted.

2. Check the Privacy Policy in Five Minutes

Skip the legalese and focus on three things:

  • Data collected: Does the app collect “analytics” that include task names and completion times? Some apps log every action to improve the product, but that data can be de-anonymized.
  • Third-party sharing: Look for words like “service providers,” “partners,” and “advertising.” If an app uses your task data to show ads, that’s a red flag.
  • Data retention: How long does the company keep your tasks after you delete them? Some apps keep backups for months.

A good shortcut is to search the policy for “sell,” “advertising,” and “AI training.” If any of those appear, assume your data is being used for purposes beyond simply syncing your lists.

3. Consider Offline-First Apps

If you want maximum control, go offline-first. Obsidian and Logseq are note-taking tools that can double as to-do lists, and everything stays in plain text files on your computer. Sync is optional and can be handled by a service you trust (e.g., Syncthing, Nextcloud). The trade-off is less convenience: no mobile notifications, no natural language reminders, and no shared team lists without a bit of setup.

For most people, a middle ground works: choose an app that offers true end-to-end encryption (like Standard Notes or Tuta Calendar) or stick with Things 3 if you’re on Apple devices.

Sources

  • Wirecutter / The New York Times, “The 3 Best To-Do List Apps of 2026” (December 2025). Available at: https://www.nytimes.com/wirecutter/reviews/best-to-do-list-apps/ (note: current URL may differ; verify via search engine).
  • Todoist privacy policy, updated 2025.
  • Microsoft To Do privacy documentation, Microsoft 365 compliance center.
  • Things 3 security overview, Cultured Code.

A quick caveat: App privacy policies and encryption features change. The recommendations above were accurate as of early 2026, but you should verify each app’s current data practices before committing your schedule to it. When in doubt, an app that stores data locally and doesn’t phone home is almost always the safer bet.