Which To-Do List App Keeps Your Data Safe? A Privacy-Focused Guide to the Best of 2026
You might not think twice about letting a to-do list app store your grocery lists or work tasks, but these apps often ask for more data than they need. Contacts, calendar access, and even location permissions are routine for many productivity tools. With data breaches affecting popular apps in recent years, it’s worth knowing what you’re signing up for before you hand over your daily schedule.
Wirecutter’s 2026 review of the best to-do list apps tested dozens of options. Their top three picks—Todoist, Things, and Microsoft To Do—each have strong features, but they handle your data in very different ways. Here’s a closer look at what each one does with your information.
What happened: Wirecutter’s top three picks, through a privacy lens
Wirecutter’s team evaluated apps across categories like reliability, speed, and cross-platform support. They named Todoist as the best overall, Things as the best for Apple users, and Microsoft To Do as the best for Windows and Office users. For a detailed breakdown of features and usability, their full review is a good starting point. This article focuses on the privacy and security differences that may matter to you.
Why it matters: The risks of sharing too much with your task manager
When you enter a task like “call the bank” or “pick up prescription,” you may be sharing sensitive information with a third-party server. Most to-do apps sync your data across devices, which means it lives in the cloud unless an app offers local-only storage. That data can be accessed by the company, shared with third parties for analytics or advertising, or exposed in a breach. Many apps also request permissions to your contacts, camera, or location—access that has nothing to do with managing tasks.
Recent high-profile breaches of cloud-based productivity apps have shown that even companies with good security practices can be compromised. Choosing an app that collects minimal data and encrypts it properly reduces your exposure.
Deep dive: How the top three apps handle your data
Todoist
Todoist is the most feature-rich option, but its privacy protections are tiered. At the free and Pro levels, data is encrypted in transit and at rest on their servers, but Todoist (owned by Doist) can technically read that data. End-to-end encryption (E2EE) is only available for Business users, meaning no one at Todoist could decrypt those tasks even if they wanted to. For individuals, this means your task list is visible to Todoist, and the company uses third-party analytics services such as Google Analytics and Amplitude, which collect usage data.
Permissions: Todoist asks for access to contacts for sharing tasks, and location for geo-based reminders—both are optional but enabled by default on mobile.
Things
Things is a standalone Mac, iPhone, and iPad app that stores all your data locally on your device, with optional sync via Things Cloud. The key here is that Things Cloud is used only for sync; the data is encrypted end-to-end (the company uses Apple’s CloudKit infrastructure, which provides E2EE for synced data). The app itself does not collect usage data or serve ads. Because data lives primarily on your device, there’s less risk of a large-scale breach on the server side. The trade-off is that Things has no web or Windows version, so you’re locked into Apple’s ecosystem.
Permissions: Minimal. It requests access to calendar and reminders for import, but nothing else beyond what’s needed for syncing.
Microsoft To Do
Microsoft To Do is deeply integrated with Office 365, which is both its strength and its privacy weakness. The app syncs everything through Microsoft’s cloud. Microsoft’s enterprise-grade security has improved over the years, but their privacy policy still states that they use your data to provide personalized ads within Microsoft products (including To Do, if you’re on a free account). Data from To Do is also subject to compliance with law enforcement requests. For business accounts, administrators can access your tasks. Encryption is standard: data in transit is TLS, at rest it’s AES-256, but Microsoft holds the keys, so it is not end-to-end encrypted.
Permissions: Often broad. The app may request access to contacts, calendar, and email, especially if you use the “My Day” feature that pulls tasks from Outlook.
Quick comparison: Privacy and permissions at a glance
| App | Data storage | End-to-end encryption? | Third-party analytics? | Unnecessary permissions? |
|---|---|---|---|---|
| Todoist | Cloud (server-side encryption) | Business tier only | Yes (Google Analytics, Amplitude) | Contacts, location (optional) |
| Things | Local + encrypted cloud sync | Yes (via CloudKit) | No | Minimal |
| Microsoft To Do | Cloud (Microsoft servers) | No | Yes (for ad personalization) | Contacts, calendar, email |
What readers can do: Choose based on your privacy needs
If you need cross-platform access and advanced features, Todoist is a solid choice, but consider upgrading to Business for full E2EE if you handle sensitive work tasks. For individuals on a free plan, be aware that your data is visible to Doist and that analytics are collected.
If you live inside the Apple ecosystem and want the strongest local privacy, Things is the best option. It stores data locally, uses E2EE for sync, and asks for few permissions. The main drawback is the lack of a web or Android version.
If you rely on Windows or Microsoft Office, Microsoft To Do offers convenience, but you accept that Microsoft can read your tasks and may use them for advertising (unless you’re on a paid business plan with restricted data use). You should also audit its permissions to disable unnecessary access to contacts or email.
A practical step for any app you choose: check the permissions you’ve granted on your phone or desktop and disable anything that isn’t essential for the app to function. Most to-do apps don’t need your location or camera.
Sources
- Wirecutter: The 3 Best To-Do List Apps of 2026 (The New York Times, December 2025)
- Todoist Privacy Policy (Doist)
- Microsoft Privacy Statement (Microsoft)
- Things Privacy Policy (Cultured Code)