Encryption & Privacy
We’ve taken great care to ensure your data remains private and secure – even we can’t access it, and neither does your ISP, government, or any malicious actor on the internet.
The information you keep in your tasks, notes, journal, or elsewhere is end-to-end encrypted and remains completely private, accessible only to you. Protecting your privacy matters deeply to us, and our commitment goes beyond just encrypting your data.
Most other apps and services – including popular ones like Todoist, TickTick, or Evernote – not only have access to your data, but also collect and track a lot of additional information about you, such as who you are, where you are, how you use their app, and more. You’re always monitored without even knowing.
This makes Lunatask different from most apps – end-to-end encryption, no tracking, no data collection, no server logs. We don’t need that to provide the service to you.
Forgot or lost your master password? Continue here 👈
End-to-end encryption
We employ encryption to give you a private space on the internet where no one can spy on you along the way – your data is none of our business.
Encryption isn’t optional – it’s always on and automatically activated when you sign up.
The data you type and enter into Lunatask is encrypted on your device before it’s sent to be securely stored in our cloud and synced across all your devices. From tasks and notes to habits, journal entries, relationship details, and so on.
Secret keys generated from the password you chose during sign-up are used for encryption. We don’t have access to the private key required to decrypt your data. Even though your data is securely stored in our cloud and seamlessly synced across all your devices, no one can access it there. Even if someone got hold of it, they wouldn’t be able to read it – and neither can we.
Given the nature of our app, our approach to encryption sits between fully unprotected apps that store your data in plain, human-readable form in the cloud (such as Todoist, TickTick, Trello, or JIRA) and highly secure vaults on the other end (such as password managers).
It’s still up to you to secure and protect your own device, while we’ll take care of protecting it in the wild on the web. For added protection, you can secure your journal, individual notebooks, and relationships with a four-digit PIN – available in the app’s settings.
Given Lunatask’s complex data model and its origin story an encrypted app, creating a fully zero-knowledge app would be challenging. Therefore, other details (metadata) about a task, such as its status, priority, or assigned dates, are stored unencrypted.
We have a pragmatic approach, not a paranoid one. Even if someone could follow the breadcrumbs (metadata), they still wouldn’t know what the task is about. Trying to balance security and practicality, we don’t consider a task’s status (like “In Progress”) to be sensitive information.
If you’re looking for a fully zero-knowledge app, check out our friends at Standard Notes.
What algorithms does Lunatask use for encryption?
Lunatask uses Curve25519, XSalsa20, Poly1305, and Argon2id. To avoid implementation mistakes, encryption is handled by an open-source cryptography library called NaCl – a proven cryptographic solution trusted by many other encrypted apps, including Standard Notes.
What about server-side integrations?
Data sent to our server-side integrations is encrypted using your public key as soon as it reaches our servers – and we keep no logs. This is possible because Lunatask uses asymmetric encryption (also known as public-key cryptography).
Your Lunatask account has two encryption keys – a private key and a public key. The public key can be shared with anyone (hence its name) and allows incoming messages to be encrypted and added to your account. But while used to encrypt information, it can’t be used to decrypt it.
Our servers know your public key, but not the private one, enabling server-side integrations.
What happens when I forget my master password?
Lunatask is an encrypted app and your master password is like a key to the vault. If the key is lost, there’s no way to get into the vault.
If you forget your password, the only option is to reset your account. We keep no backdoor to your encrypted data and do not know your encryption keys.
After resetting your account, you can set a new master password. Your subscription won’t be affected, if you have one, but your existing data will by nature be lost.
If needed, you can reset your account at here 👈
Calendar integrations
Lunatask allows you to connect your calendars to see them directly in the app and even plan your tasks and habits into your day in between your meetings, appointments, and other duties using time blocking.
On desktop
After setting up the integration, our app and your device always communicate with the calendar service (e.g. Google Calendar) directly. Your calendar data is never transmitted through our infrastructure.
Lunatask checks for updates and syncs your calendar events every five minutes. Changes in Google and Outlook calendars are propagated in real time.
Real-time updates work via a webhook – when your calendar changes, the service notifies our servers, which relay this “Hey, something changed” message to your device and our app, so it syncs the latest changes.
All credentials and other information you enter when setting up the integration (if applicable) are also end-to-end encrypted.
On mobile
While our desktop app connects directly to external calendar services via our custom-built integrations, our mobile app uses native Calendar SDKs available on iOS or Android instead.
Email address anonymization
We understand if you’d rather prefer not to share your real email address. Feel free to anonymize it using tools like SimpleLogin or AnonAddy.
Encryption of all communication
All communication with Lunatask Cloud is protected by strong SSL encryption. We use HTTPS with modern TLS 1.3 to ensure that no one, including your ISP, can eavesdrop on any communication.
Protection from data breaches
Unfortunately, attackers don’t sleep. Lunatask uses a Web Application Firewall (WAF) to analyze all traffic to our cloud. Suspicious requests are automatically blocked if unusual activity is detected. The WAF solution is provided to us by Cloudflare.
Please, contact us if you suspect that WAF is blocking you by mistake, such as when using our API.
Where is my data stored on my machine?
Lunatask stores its local data cache in Chromium’s IndexedDB. Chromium internally stores the content of IndexedDB in binary LevelDB files on your hard drive – whether in Application Support directory (on Mac) or /Users/[user]/AppData (on Windows).
Where is my data physically stored in the cloud?
Lunatask stores its data in AWS US East 1 in Virginia, the United States.
Exporting data out of Lunatask
Your data is your data, and keeping it vendor-locked wouldn’t align with our vision for Lunatask.
To export your data out of Lunatask, please see our article on data export 👈
Using our apps offline
While our apps are designed to work offline and sync once you’re back online, this is intended for temporary, short-term offline situations – such as when commuting or being on vacation.
Lunatask works well offline, but it’s not a fully offline app intended for fully offline use. If you block our app from talking to Lunatask servers in your firewall, all may look fine for a few months, but then you’ll likely wake up one day, suddenly logged out of your account, and all unsynced changes will be gone.
This may happen since Chromium’s built-in web storages (including IndexedDB) aren’t guaranteed to be 100% durable. In the end, Lunatask is a cloud-based service (like Todoist), so please treat it as such.
Weather
We obtain our weather information from a separate provider. When fetching the latest weather information, your location is determined based on the IP address of your device using geolocation by default.
You can override the location manually in the settings, if you want to or the inferred location is inaccurate due to your ISP’s network routing or other reasons.
When you choose to override your location manually in the settings, your location is stored encrypted and added to each request for the latest weather data by our desktop app automatically.
These requests aren’t directly sent to the third-party weather API, but rather they’re sent through our own servers. This is known as proxying and it prevents the third-party weather API from tracking our users.
The weather widget can be disabled altogether in the settings.
User tracking and product analytics
Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily in our Slack Community, on the Idea Portal, or via email support.
We don’t track our website visitors using technologies like cookies and we don’t share user information with Google through tools such as Google Analytics. Our website uses a privacy-friendly analytics solution from Plausible Analytics.
Since we don’t track you, we’re reliant on the information and feedback you tell us. Please, share any thoughts you might have and help us improve our apps. We can’t improve something or fix issues we don’t know about 🙏