Which To-Do List Apps Actually Respect Your Privacy?

Every year, product review sites like Wirecutter publish their picks for the best to-do list apps. Their recent roundup of the top three for 2026—Todoist, TickTick, and Things 3—is a good starting point if you’re looking to get organized. But if you’ve been paying attention to how apps handle your data, you might wonder: does using one of these mean handing over details about your daily tasks, habits, and even your location?

To-do data can be surprisingly revealing. A list like “pick up meds,” “call lawyer,” or “plan anniversary dinner” says a lot about your life. So it’s worth asking which apps treat that information as yours and which treat it as part of a business model. Here’s a privacy-focused look at Wirecutter’s top three, plus a few things you can do to protect yourself.

What Happened

Wirecutter updated its “best to-do list apps” guide in late 2025, naming Todoist, TickTick, and Things 3 as its top picks across platforms. The reviews focus on features, ease of use, cross-device sync, and reliability—which matter for productivity. But the guide does not assess how each app handles user privacy, what data it collects, or whether your task information could be shared with advertisers or third parties.

That’s not a knock on Wirecutter; their criteria are different. But as consumers become more aware of data breaches and surveillance-based advertising, the privacy profile of an app matters as much as its functionality.

Why It Matters

The three recommended apps have very different privacy postures.

Todoist is a cloud-based service. Your tasks are stored on its servers, and while the company says it uses encryption in transit and at rest, it does not offer end-to-end encryption. That means Todoist (or anyone who compromises its servers) can theoretically read your task data. The company’s privacy policy states that it collects personal information, usage data, and even details about how you interact with the app. Some of that may be shared with analytics partners.

TickTick is similar. It stores data in the cloud by default and has no local-only mode. The app does include some privacy features—like the ability to lock the app with a PIN—but your task content lives on TickTick’s servers. Its privacy policy mentions collecting device identifiers, crash logs, and usage patterns. Again, no end-to-end encryption.

Things 3 takes a different approach. It’s an Apple-only app that stores your data locally on your device. Sync happens through iCloud, which uses end-to-end encryption by default. That means even Apple cannot read your task list. Things 3’s developer, Cultured Code, says it does not collect any personal data—the app simply works without phoning home for anything other than optional crash reporting.

Among the three, Things 3 is the clear privacy winner. But it’s limited to Apple devices and costs a one-time fee (currently around $20 for iPhone and $50 for Mac). That trade-off may be worth it for many users.

Other apps worth mentioning: Microsoft To Do is convenient if you’re in the Microsoft ecosystem, but your data is subject to the same policies as Office 365—meaning Microsoft can access it. Open-source alternatives like Vikunja or Tasks.org offer far more control, though they require some setup.

What Readers Can Do

You don’t have to take any app’s privacy policy at face value. Here are a few practical steps to protect your task data:

  • Check the app’s privacy policy yourself. Look for terms like “end-to-end encryption,” “local storage only,” or “no data collection.” If the policy says it collects “device identifiers,” “usage data,” or “analytics,” assume your activity is being tracked.
  • Disable cloud sync when possible. Some apps (like TickTick and Todoist) require an online account to function. If you can, use the app offline only and back up manually.
  • Use strong, unique passwords and enable two-factor authentication. Even if the app doesn’t have great privacy protections, keeping your account locked down helps.
  • Review app permissions on your phone. A to-do app doesn’t need access to your contacts, camera, or microphone. Deny any unnecessary permissions.
  • Consider open-source or device-first alternatives. If you’re willing to trade some convenience for privacy, apps like Vikunja (self-hosted) or Things 3 (local-first) are strong options.

At the end of the day, the right choice depends on your threat model. If you’re a journalist, activist, or simply someone who values keeping your plans private, a cloud-only app like Todoist or TickTick might not be acceptable. If you’re a regular user who isn’t worried about task data being used for advertising, the convenience of cloud sync may outweigh the risks. Just be aware of the trade-off, and make an informed decision.

Sources

  • Wirecutter, “The 3 Best To-Do List Apps of 2026,” December 2025 (updated for 2026).
  • Todoist privacy policy (accessed May 2026).
  • TickTick privacy policy (accessed May 2026).
  • Cultured Code privacy page for Things 3 (accessed May 2026).
  • Apple iCloud security overview (Apple Support, accessed May 2026).