Which To-Do List App Is Best for Your Privacy? A Security-Focused Guide

If you rely on a to‑do list app to manage your day, you’re probably keeping more than grocery lists in it — meeting notes, project deadlines, passwords you’ve jotted down, even personal reminders. That’s private information. Yet most productivity apps collect a surprising amount of data about how you use them, and some share it with third parties.

Wirecutter’s December 2025 guide to the 3 best to‑do list apps of 2026 picks three solid tools: Todoist, Things 3, and Microsoft To Do. But their privacy and security features differ significantly. Here’s what you need to know before you trust your tasks to any of them.

What Happened

Wirecutter’s team tested dozens of to‑do apps for usability, reliability, and value. Their top three as of late 2025 were:

  • Todoist – a cross‑platform app that syncs across devices.
  • Things 3 – an elegant option for Apple users only.
  • Microsoft To Do – free and deeply integrated with Office 365.

The review focused on features, design, and performance. Privacy was not the primary lens, but it’s worth examining because each app handles your data differently.

Why It Matters

A to‑do list app can reveal a lot: your work schedule, health appointments, upcoming trips, and recurring tasks like bill payments. If the app’s cloud storage is compromised, or if the company sells or shares your data with advertisers, that information becomes less private.

Many free apps generate revenue by collecting usage data. Even paid apps may store your tasks on servers you don’t control. And permissions — like access to your calendar, contacts, or camera — can be over‑broad. The question is not whether an app works well, but whether you can trust it with your to‑do list’s contents.

What Readers Can Do

Look at encryption

  • Todoist encrypts data both in transit (using TLS) and at rest. However, it stores your tasks on its own servers, and the company’s privacy policy states it collects usage data to improve the service. If you need end‑to‑end encryption, Todoist doesn’t offer it — the company can technically read your tasks if required.
  • Things 3 stores your data locally on your Apple device by default. It also offers optional cloud sync via Things Cloud, which uses encrypted connections. Because the data lives primarily on your device, you have more control. Be aware that Things Cloud is operated by Cultured Code; their privacy policy says they collect minimal information but do store task content temporarily for sync.
  • Microsoft To Do stores your tasks on Microsoft’s cloud servers. The service uses encryption in transit and at rest, but Microsoft’s privacy policy allows the company to collect and use data for “improving products” and, in some cases, for personalized advertising (you can opt out in your account settings). For users already in the Microsoft ecosystem, this may be an acceptable trade‑off, but it’s worth reviewing.

Check permissions and account security

Regardless of which app you choose, take these steps:

  • Review permissions. On iOS or Android, check what the app can access — calendar, contacts, camera, location. Deny anything that isn’t necessary for its core function. A to‑do app does not need your microphone.
  • Enable two‑factor authentication (2FA) if the app or its underlying account (e.g., Microsoft account) supports it. This protects your data even if your password is stolen.
  • Use a strong, unique password for the app account. Consider a password manager.
  • Read the privacy policy before you commit. Look for sections on data sharing, retention, and how to delete your account. If the policy is vague or overly broad, that’s a red flag.

Consider local‑first options

If you are especially privacy‑conscious, Things 3’s local storage model is appealing. Todoist and Microsoft To Do rely on cloud sync, but you can mitigate risks by not storing highly sensitive information (like passwords) in any task description. For truly confidential lists, a local note‑taking app with encryption (e.g., Apple Notes with device‑level encryption or Obsidian with a local vault) may be better.

No app is perfect, but being aware of each one’s data practices lets you make an informed choice — and take steps to protect what you put into it.

Sources

  • Wirecutter, “The 3 Best To‑Do List Apps of 2026,” December 2025 (The New York Times).
  • Privacy policies and support pages of Todoist, Cultured Code (Things 3), and Microsoft To Do, accessed May 2026.