Which To-Do List App Keeps Your Tasks (and Data) Safe? A Privacy-Focused Guide

Which To-Do List App Keeps Your Tasks (and Data) Safe? A Privacy-Focused Guide

A to-do list app holds your daily plans, work deadlines, personal reminders, and maybe even sensitive notes. When you hand that data over to a cloud-based service, you’re trusting the company with a detailed map of your life. The three apps that Wirecutter recommended as the best to-do list apps of 2026 are solid choices for getting organized, but they handle your privacy very differently.

Here’s a look at what each app collects, what it protects, and how you can lock things down a bit more.

What Happened

In December 2025, Wirecutter published an updated roundup of the best to-do list apps. After testing dozens of options, they settled on three standouts: Todoist, Things, and Microsoft To Do. The reviews focused on features, ease of use, and reliability. Since then, many readers have asked whether these picks also respect user privacy. This guide takes Wirecutter’s list and adds the security lens that their review didn’t cover in depth.

Why It Matters

Productivity apps often collect location data, device information, email addresses, and even the content of your tasks to improve features or sell targeted ads. Breaches are common—just look at the recent data leaks from several note‑taking and calendar apps. A compromised task list can reveal when you’re away from home, what projects you’re working on, or personal health reminders. For privacy‑conscious users, the choice of a to‑do app is not just about features; it’s about who gets to see your plans.

What Readers Can Do

Below is a privacy and security breakdown of each of Wirecutter’s top picks, along with tips to tighten your setup. The assessments are based on each app’s public privacy policy and technical documentation as of early 2026.

Todoist

• Data collection: Todoist collects your email, task content, and usage logs. It shares anonymized data for analytics. The free plan does not offer end‑to‑end encryption.
• Encryption: Data is encrypted in transit (TLS) and at rest, but Todoist holds the encryption keys. That means Todoist employees or a government request could theoretically access your tasks.
• Configuration tips:
  – Review the “Data & Privacy” section in your account settings. You can request deletion of old activity logs.
  – Disable “Share usage data” under Privacy settings.
  – If you need stronger confidentiality, consider the paid “Todoist Business” plan, which allows you to sign a Data Processing Agreement (DPA) for GDPR compliance.
• Verdict: Good for everyday use, but not ideal if you handle confidential work information.

Things (by Cultured Code)

• Data collection: Things syncs via iCloud (Apple). Cultured Code has no direct access to your tasks—Apple processes the sync data, which is encrypted end‑to‑end between your devices using iCloud’s encryption (if you have Advanced Data Protection enabled).
• Encryption: Because Things relies on your iCloud account, the privacy level depends on your Apple settings. With Advanced Data Protection turned on, even Apple cannot read your tasks. Without it, Apple can technically decrypt iCloud data but states it doesn’t do so for personal content.
• Configuration tips:
  – Enable Advanced Data Protection for iCloud (requires iOS 16.2+ or macOS 13.1+). This makes Things one of the most private to‑do apps available.
  – Avoid using Things with a work iCloud account if you use a managed device—your employer may have access.
• Verdict: Excellent for privacy when set up correctly, but limited to Apple users only.

Microsoft To Do

• Data collection: Microsoft collects task content, sign‑in data, and device information. The free service includes ads (though not personalized based on your tasks). Microsoft’s privacy policy is more detailed than most, and they do not use your content for marketing or sell it to third parties.
• Encryption: Data is encrypted in transit and at rest. Microsoft uses its own key management; it does not offer end‑to‑end encryption for To Do.
• Configuration tips:
  – Go to the Microsoft Privacy Dashboard and limit activity history retention.
  – Use the app with a personal Microsoft account, not a work or school account, to avoid automatic data sharing with your IT department.
  – Turn off “Personalized advertising” in your account settings. This prevents your other Microsoft activity from being used to show ads in other apps.
• Verdict: Reasonable for casual use, but not recommended for sensitive information. The lack of end‑to‑end encryption means Microsoft could technically access your data if required by law.

For the privacy‑conscious: an alternative worth considering

None of the three picks above support true end‑to‑end encryption across all platforms (except Things on Apple’s iCloud with Advanced Data Protection). If you need that guarantee on any device, look at Standard Notes (paid plans) or Trello (if using a self‑hosted option with a third‑party encryption layer). These are not to‑do list apps per se, but they can fill the role with strong encryption.

Sources

• Wirecutter, “The 3 Best To‑Do List Apps of 2026,” December 2025.
• Todoist Privacy Policy (2025 version).
• Things 3 Privacy Policy (Cultured Code, 2025).
• Microsoft Privacy Statement (January 2026).
• Apple iCloud Security Overview (2025).