Encryption & Security

How does Lunatask protect your data?

Even we don't have access to your data. We went a long way to ensure nobody but you can access it. Anything you do or track within Lunatask is your business only.

End-to-end data encryption

All the data you type into Lunatask, whether it is the name of the task, a note, name of the area, or habit is encrypted at your machine before it is sent to be stored in our cloud. The private key (a secret) used to encrypt your data is derived from the master password you chose during sign-up. No private key nor master password is ever transmitted out of your machine.

What happens when I forget my master password?

Your master password is like a key to the vault. If the key is lost, there's no way to get into the vault. The only solution in case of a forgotten password is resetting your account since we keep no backdoor to your encrypted data. This way you can set up a new master password, but your previous data will be lost. Please, contact us and we'll promptly reset your account, if needed.

What algorithms does Lunatask use for encryption?

Lunatask uses a combination of Curve25519, XSalsa20, and Poly1305, together with argon2id as a key derivation function.

Email Address Anonymization

If you don't want to share your email address with us, we totally understand. We recommend using tools like Simple Login or AnonAddy to anonymize your email address.

Encryption of all communication

All communication with Lunatask cloud is performed over a strong SSL. All requests use HTTPS protocol with the latest and most secure TLS 1.3 to prevent anyone down the road from listening to the communication (like your ISP).

Protection from data breaches

Unfortunately, attackers do not sleep. Lunatask uses multiple Web Application Firewalls (WAF) to analyze all traffic to our cloud. If unusual activity is detected, like a security scan by the attacker, the request is automatically blocked. The WAF solution is provided to us by Cloudflare and Sqreen.

Please, contact us if you suspect that you are being blocked by any of our WAF, such as when using the Public API, by mistake.

Vulnerability monitoring

Our automated vulnerability monitoring system alerts us when a new vulnerability is identified in any library or framework we use. We act as soon as a vulnerability is reported.

User tracking and product analytics

Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily.

The same approach applies to our website. We do not track our website visitors using technologies like cookies, nor do we share user information with Google through tools such as Google Analytics.

Third-party data

Lunatask allows you to connect your calendar and see your calendar events directly next to your tasks. When you decide to do so, all communication is always done from your machine directly to the calendar service you're using. Your calendar data is never transmitted through Lunatask infrastructure and we don't have access to this data.

Trusted sources

You can get Lunatask from many different sources on the internet. You can trust that the application downloaded from the following sources was not modified as the sources are maintained by us. Here is the list of trusted sources:

All versions of Lunatask for Mac distributed by us are signed using our certificates. If you don't receive a Gatekeeper warning when running the app, you can trust this application version.

Currently, we don't cryptographically sign builds of Lunatask for Windows distributed outside of Microsoft Store. When you download Lunatask for Windows from any trusted source above, you can safely ignore Windows SmartScreen warning.