Encryption & Security
We have taken great care to ensure that your data remains private and secure. Even we do not have access to it. The information you keep track of in your tasks and notes is entirely under your control and for your eyes only.
End-to-end encryption
All the data you type into Lunatask, whether it is the name of your tasks, habits, areas, notebooks, tags, or the content of your notes and journal entries, is encrypted on your machine before it is sent to be stored in our cloud.
The private key (a secret) used to encrypt your data is derived from the master password you chose during sign-up. No private key or master password (neither its hashed and salted variant) is ever transmitted out of your machine.
Other details (metadata) about the task, such as its status, priority, or assigned dates, are stored unencrypted.
Creating a fully zero-knowledge app with Lunatask's complex data model would be challenging. This is a conscious decision made to balance security with practicality. We have a pragmatic approach to this, not a paranoid one.
Our approach to encryption is the following: Even if one could follow the breadcrumbs (in this case, the metadata), they would still not know what the task is about. Hence why we don't consider Lunatask technically knowing that the task is marked as "started" useful for anything or somehow violating your privacy.
If you are looking for a zero-knowledge app, check out Standard Notes.
What happens when I forget my master password?
Your master password is like a key to the vault. If the key is lost, there's no way to get into the vault. The only solution in case of a forgotten password is resetting your account since we keep no backdoor to your encrypted data. This way, you can set up a new master password, but you'll lose your existing data in your account. You can reset your account by visiting this page, if needed.
Resetting your account will not affect your subscription.
What algorithms does Lunatask use for encryption?
Lunatask uses a combination of Curve25519, XSalsa20, and Poly1305, together with argon2id as a key derivation function. To ensure there are no implementation mistakes, encryption is delegated to an open-source NaCl networking and cryptography library – specifically this independently audited implementation (GitHub). Where client-side encryption is not possible (i.e. when using server-side integrations), server-side encryption is done using Ruby bindings for libsodium.
What about server-side integrations?
Data sent to our server-side integrations (browser bookmarklet, email integration, Zapier integration, iOS widget, Quick Add, or our API) is encrypted using your public key as soon as it reaches our servers and we keep no logs.
This is possible because Lunatask uses asymmetric encryption (also known as public-key cryptography). Your Lunatask account has two keys to protect your data – a private key and a public key. The public key is called public as it can be shared with anyone without compromising your data. The public key enables incoming messages to be encrypted and added to your account. However, the public key cannot be used to read encrypted data – only the private key that is never shared over the network can do so. Our servers know your public key but not the private one, enabling server-side integrations.
Calendar data
Lunatask allows you to connect your calendar and see your calendar events directly next to your tasks. When you decide to do so, all communication is always done from your machine directly to the calendar service you're using. Your calendar data is never transmitted through our infrastructure.
Lunatask syncs your calendar events every five minutes. For Google and Outlook, real-time updates are also available. Real-time updates work by Lunatask registering a webhook with the calendar service. When there's a change in calendar data, the calendar service sends a notification to our servers, which forward this "hey, something has changed" information to our client apps. Client apps, in return, will fetch the latest changes directly from the calendar service without your data ever going through our infrastructure.
Weather data
We obtain our weather information from a separate company. When you create an account with us, your location is determined based on the IP address of your device using geolocation. You can override the location manually in the settings if you want to. If you choose to override your location manually, your location is stored encrypted and added to each request for the latest weather data.
These requests are not directly sent to the third-party weather API, but rather they are sent through our own servers (known as proxying). This prevents the third-party weather API from tracking our users.
The weather widget can be disabled altogether in the settings.
Email address anonymization
We understand if you don't want to share your email address with us when creating an account with us. We recommend using tools like Simple Login or AnonAddy to anonymize your email address before creating the account.
Encryption of all communication
All communication with Lunatask cloud is performed over a strong SSL. All requests use HTTPS protocol with the latest and most secure TLS 1.3 to prevent anyone from listening to the communication (like your ISP) down the road.
Protection from data breaches
Unfortunately, attackers do not sleep. Lunatask uses multiple Web Application Firewalls (WAF) to analyze all traffic to our cloud. The request is automatically blocked if unusual activity is detected. The WAF solution is provided to us by Cloudflare and Sqreen.
Please, contact us if you suspect that any of our WAF is blocking you by mistake, such as when using our API.
User tracking and product analytics
Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily in our Slack Community, on the Idea Portal, or via email support.
We do not track our website visitors using technologies like cookies ad we don't share user information with Google through tools such as Google Analytics. Lunatask website uses a privacy-friendly analytics solution from Plausible Analytics.