Security & privacy
Your task list can hold things you'd rather keep to yourself. This page explains — in plain language, without marketing — how your data is protected, what we can see, and what we can't. It is kept in sync with what the software actually does.
How your data is protected
Encrypted in transitEverything travels over HTTPS only. Browsers are instructed (HSTS) to never use an unencrypted connection, and content-security rules block foreign scripts from running on the site.
Encrypted on diskYour tasks, notes and attachments are stored encrypted with AES-256-GCM — the standard used by banks. The key is kept separately from the data, so database files or backups alone are unreadable.
Your passwordNever stored. We keep only a salted scrypt hash — a one-way fingerprint that is deliberately slow to compute, which makes bulk password cracking impractical. We never see or log the password itself.
Login protectionRepeated wrong passwords lock the account for a cooldown — even when the attempts come from many different network addresses.
Sessions you controlSigning in creates a session you can see and revoke: the Devices button in the app lists every signed-in browser, with one-click sign-out. Changing your password signs out all other devices automatically. Idle sessions expire by themselves.
AttachmentsFiles you attach are stored encrypted, served only to your own account, and delivered with strict browser rules (sandboxing) so an uploaded file can never run as code on the site.
Workspace isolationEvery workspace is a separate store. There is no query, URL or id that reaches another person's tasks — file access is checked against your own session on every request.
Locked categoriesA category with a password is enforced on the server, not just hidden in the browser: its tasks are withheld from every response until you unlock it.
What we can and cannot see
Honesty matters more than a perfect-sounding claim, so here is the precise line: data is encrypted on disk, but the server necessarily decrypts it while serving your requests — like almost every web app (including most big-name to-do apps). What that means:
We cannotRead your password. Read your data from disk files or backups without the separately-stored key. See another user's tasks through the app, ever.
We technically couldAn administrator of the server could, in principle, read task content while the service is running. We don't — there is no analytics, profiling, or advertising anywhere in the product — but you deserve to know the boundary.
RoadmapTrue end-to-end encryption — where task content is encrypted in your browser and the server only ever stores ciphertext no one but you can open — is in development, along with optional two-factor login.
What we don't do
No trackingNo analytics scripts, no ad networks, no cookies beyond the ones that sign you in.
No selling dataYour data is not shared with or sold to anyone. It exists to render your page, nothing else.
No lock-inYour tasks are yours. Delete them and they're gone from the live store; encrypted backups rotate out on a short schedule.