Encryption & Privacy
We have taken great care to ensure that your data remains private and secure. Even we do not have access to it. Neither do your ISP and government for that matter. The information you keep in your tasks and notes is entirely for your eyes only.
End-to-end encryption
All the data you type into Lunatask, whether it is the name of your tasks, habits, areas, notebooks, tags, or the content of your notes and journal entries, is encrypted on your machine before it is sent to be stored in our cloud. Encryption isn't optional and is automatically activated on your account when you sign up.
We employ encryption to ensure your privacy, so you have your own private space on the internet and no one can spy on you along the way. Despite your data being securely stored in Lunatask Cloud and seamlessly synchronized between all your devices, no one can access it there. Even if hackers would get hold of your data, they would not be able to read it.
However, the security model we have in place protects your data when it is transmitted over the network and stored on our servers. On your own device, the data is accessible as it would be with any other app. So, make sure to secure and protect your device, and we will take care of protecting your data in the wild on the internet.
Additionally, you can protect your journal with a four-digit PIN. You can enable PIN-protection in the settings.
Your data is encrypted using secret keys generated from your password you chose during sign-up. The private key allowing one to decrypt your data is never transmitted out of your machine.
Other details (metadata) about the task, such as its status, priority, or assigned dates, are stored unencrypted.
Creating a fully zero-knowledge app with Lunatask's complex data model would be challenging. This is a conscious decision made to balance security with practicality. We have a pragmatic approach to this, not a paranoid one.
Our approach to encryption is the following: Even if one could follow the breadcrumbs (in this case, the metadata), they would still not know what the task is about. Hence why we don't consider Lunatask technically knowing that the task is marked as "started" to be an issue.
If you are looking for a zero-knowledge app, check out Standard Notes.
What happens when I forget my master password?
Lunatask is an encrypted app and your master password is like a key to the vault. If the key is lost, there's no way to get into the vault. The only solution in case of a forgotten password is resetting your account since we keep no backdoor to your encrypted data and we simply don't know what your encryption keys are. After resetting your account, you will be able to set up a new master password, but you'll lose your existing data in the account.
You can reset your account by visiting this page, if needed.
Resetting your account will not affect your subscription.
What algorithms does Lunatask use for encryption?
Lunatask uses a combination of Curve25519, XSalsa20, and Poly1305, together with argon2id as a key derivation function. To ensure there are no implementation mistakes, encryption is delegated to an open-source NaCl networking and cryptography library – specifically this independently audited implementation (GitHub). Where client-side encryption is not possible (i.e. when using server-side integrations), server-side encryption is done using Ruby bindings for libsodium.
What about server-side integrations?
Data sent to our server-side integrations (browser bookmarklet, email integration, Zapier integration, iOS widget, Quick Add, or our API) is encrypted using your public key as soon as it reaches our servers and we keep no logs.
This is possible because Lunatask uses asymmetric encryption (also known as public-key cryptography). Your Lunatask account has two encryption keys – a private key and a public key. The public key is called public as it can be shared with anyone without compromising your data. The public key enables incoming messages to be encrypted and added to your account. However, the public key cannot be used to read encrypted data – only the private key that is never shared over the network can do so. Our servers know your public key but not the private one, enabling server-side integrations.
Calendar data
Lunatask allows you to connect your calendar and see your calendar events directly next to your tasks. When you decide to do so, all communication is always done from your machine directly to the calendar service you're using. Your calendar data is never transmitted through our infrastructure.
Lunatask syncs your calendar events every five minutes. For Google and Outlook, real-time updates are also available. Real-time updates work by Lunatask registering a webhook with the calendar service. When there's a change in calendar data, the calendar service sends a notification to our servers, which forward this "hey, something has changed" information to our client apps. Client apps, in return, will fetch the latest changes directly from the calendar service without your data ever going through our infrastructure.
Weather data
We obtain our weather information from a separate company. When you create an account with us, your location is determined based on the IP address of your device using geolocation. You can override the location manually in the settings if you want to. If you choose to override your location manually, your location is stored encrypted and added to each request for the latest weather data.
These requests are not directly sent to the third-party weather API, but rather they are sent through our own servers. This is known as proxying and it prevents the third-party weather API from tracking our users.
The weather widget can be disabled altogether in the settings.
Email address anonymization
We understand if you don't want to share your email address with us when creating an account with us. We recommend using tools like Simple Login or AnonAddy to anonymize your email address before creating the account.
Encryption of all communication
All communication with Lunatask cloud is performed over a strong SSL. All requests use HTTPS protocol with the latest and most secure TLS 1.3 to prevent anyone from listening to the communication (like your ISP) down the road.
Protection from data breaches
Unfortunately, attackers do not sleep. Lunatask uses multiple Web Application Firewalls (WAF) to analyze all traffic to our cloud. The request is automatically blocked if unusual activity is detected. The WAF solution is provided to us by Cloudflare and Sqreen.
Please, contact us if you suspect that any of our WAF is blocking you by mistake, such as when using our API.
User tracking and product analytics
Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily in our Slack Community, on the Idea Portal, or via email support.
We do not track our website visitors using technologies like cookies ad we don't share user information with Google through tools such as Google Analytics. Lunatask website uses a privacy-friendly analytics solution from Plausible Analytics.
Since we don't track you, we are reliant on the information and feedback you tell us. Please, share any thoughts you might have and help us improve our apps – we cannot improve a situation or fix issues we do not know about 🙏