Skip to main content

Encryption & Security

Even we don't have access to your data. We went a long way to ensure nobody but you can access it. What you track in your tasks and notes is your business only.

End-to-end encryption

All the data you type into Lunatask, whether it is the name of your tasks, habits, areas, tags, or the content of your notes and journal entries, is encrypted on your machine before it is sent to be stored in our cloud.

The private key (a secret) used to encrypt your data is derived from the master password you chose during sign-up. No private key or master password (neither its hashed and salted variant) is ever transmitted out of your machine.


Only what you type into the app is end-to-end encrypted – like the task's name or note. Metadata like task status, priority, or assigned date is stored unencrypted.

What happens when I forget my master password?

Your master password is like a key to the vault. If the key is lost, there's no way to get into the vault. The only solution in case of a forgotten password is resetting your account since we keep no backdoor to your encrypted data. This way, you can set up a new master password, but you'll lose your existing data in your account. You can reset your account by visiting this page, if needed.


Resetting your account will not affect your subscription.

What algorithms does Lunatask use for encryption?

Lunatask uses a combination of Curve25519, XSalsa20, and Poly1305, together with argon2id as a key derivation function. To ensure there are no implementation mistakes, encryption is delegated to an open-source NaCl networking and cryptography library – specifically this independently audited implementation (GitHub). Where client-side encryption is not possible (i.e. when using server-side integrations), server-side encryption is done using Ruby bindings for libsodium.

What about server-side integrations?

Data sent to our server-side integrations (browser bookmarklet, email integration, Zapier integration, iOS widget, Quick Add, or our API) is encrypted using your public key as soon as it reaches our servers and we keep no logs.

This is possible because Lunatask uses asymmetric encryption (also known as public-key cryptography). Your Lunatask account has two keys to protect your data – a private key and a public key. The public key is called public as it can be shared with anyone without compromising your data. The public key enables incoming messages to be encrypted and added to your account. However, the public key cannot be used to read encrypted data – only the private key that is never shared over the network can do so. Our servers know your public key but not the private one, enabling server-side integrations.

Email address anonymization

We understand if you don't want to share your email address with us. We recommend using tools like Simple Login or AnonAddy to anonymize your email address before creating an account.

Encryption of all communication

All communication with Lunatask cloud is performed over a strong SSL. All requests use HTTPS protocol with the latest and most secure TLS 1.3 to prevent anyone from listening to the communication (like your ISP) down the road.

Protection from data breaches

Unfortunately, attackers do not sleep. Lunatask uses multiple Web Application Firewalls (WAF) to analyze all traffic to our cloud. The request is automatically blocked if unusual activity is detected, like a security scan by the attacker. The WAF solution is provided to us by Cloudflare and Sqreen.

Please, contact us if you suspect that any of our WAF is blocking you by mistake, such as when using our API.

Vulnerability monitoring

Our automated vulnerability monitoring system alerts us when a new vulnerability is identified in any library or framework we use. We act as soon as we receive the report.

User tracking and product analytics

Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily in our Slack Community, on the Idea Portal, or via email support.

The same approach applies to our website. We do not track our website visitors using technologies like cookies or we share user information with Google through tools such as Google Analytics.

Third-party data

Lunatask allows you to connect your calendar and see your calendar events directly next to your tasks. When you decide to do so, all communication is always done from your machine directly to the calendar service you're using. Your calendar data is never transmitted through Lunatask infrastructure.

Lunatask syncs your calendar events every five minutes. For Google and Outlook, real-time updates are also available. Real-time updates work by Lunatask registering a webhook with the calendar service – when there's a change in calendar data, the calendar service sends a notification to Lunatask servers, which forward this "hey, something has changed" information to our client apps. Client apps, in return, will fetch the latest changes directly from the calendar service without your data ever going through Lunatask infrastructure.