Which to-do list app is safest? We checked the privacy of Wirecutter’s top picks

A good to-do list app keeps you organized. But it also collects a surprising amount of personal data: task contents, deadlines, often your location, calendar, and contacts. In 2025, Wirecutter published its updated picks for the three best to-do list apps. The review focused on features, ease of use, and reliability. What it didn’t cover in depth is how well each app protects your privacy and security.

We took a closer look at the privacy policies, encryption practices, and data-sharing behaviors of those three apps — Todoist, TickTick, and Microsoft To Do — so you can make a choice that respects both your schedule and your personal information.

What happened

Wirecutter’s December 2025 review named Todoist its top pick for most people, with TickTick as a feature-packed alternative and Microsoft To Do as the best free option for Windows and Office users. These three apps dominate the market and have millions of users.

Our assessment of their privacy and security posture was based on publicly available information: privacy policies, security documentation, and past public statements or incident reports. We did not test the software ourselves for vulnerabilities. And because policies and features can change, what we describe here reflects the state as of early 2026.

Why it matters

To-do list apps are not just passive storage. They sync across devices, often integrate with calendars, email, and file services, and sometimes request access to your contacts, microphone (for voice notes), or GPS location (for location-based reminders). That access can be a vector for data leaks or misuse.

Most users assume their to-do data is private. But many apps store tasks in plaintext on their servers, share data with third-party analytics or advertising partners, or lack end-to-end encryption for synced content. A compromised account could expose not just your errands but also sensitive project details, health appointments, or work-related information.

App-by-app privacy breakdown

Todoist (owned by Doist) offers end-to-end encryption for task content on its paid Pro and Business plans. Free users’ data is encrypted in transit and at rest but not end-to-end, meaning Doist could technically access it. The company says it does not sell personal data, but its privacy policy notes it shares data with service providers (like cloud hosting) and may disclose data if required by law. Two-factor authentication is available. Todoist requests minimal permissions by default.

TickTick uses industry-standard encryption in transit (TLS) and at rest (AES-256), but does not advertise end-to-end encryption. The company’s privacy policy allows sharing data with “affiliates and third parties for business purposes,” which could include analytics. TickTick may collect usage statistics and device information. It also offers 2FA. Because it stores tasks without E2EE, a data breach could expose the full contents of your tasks.

Microsoft To Do is built on the Microsoft Graph, meaning it shares the same security and privacy framework as Outlook, OneDrive, and Office 365. Data is encrypted in transit and at rest. Microsoft offers customer-managed keys for enterprise users but not for personal accounts. The company does not use your task data for advertising, but it does collect telemetry and may share with third-party service providers. As a cloud service operated by a large corporation, it is subject to government data requests, as Microsoft has acknowledged. 2FA is available and recommended.

All three apps have experienced no publicized data breaches as of early 2026, but that does not guarantee future safety. The primary privacy difference lies in whether your task content is readable by the service provider.

What readers can do

Regardless of which app you choose, you can take a few steps to reduce your risk.

  1. Turn on two-factor authentication. Every app in this list supports it. Enable it through your account settings.
  2. Review app permissions. On your phone, check what the to-do app can access. Disable location, contacts, or microphone access if you don’t need them.
  3. Use a strong, unique password. A password manager is an easy way to generate and store one.
  4. Read the privacy policy with a critical eye. Look for any mention of data sharing with third parties, data retention periods, and whether you can request deletion of your data. If the policy is vague or allows broad sharing, consider that a red flag.
  5. Consider a self-hosted or offline alternative. If privacy is your top priority, apps like Standard Notes (with tasks plugin) or simple text files may be more secure, though they lack the convenience of cloud sync and collaboration.

Sources

  • Wirecutter, “The 3 Best To-Do List Apps of 2026,” December 2025
  • Todoist privacy policy and security documentation (doist.com)
  • TickTick privacy policy (ticktick.com)
  • Microsoft Privacy Statement and To Do security overview (microsoft.com)

Note: The analysis above is based on publicly available information as of May 2026. Policies and features may have changed since then. Always verify current terms before relying on an app for sensitive data.