Encryption & Security

How does Lunatask protect your data?

Even we don't have access to your data. We went a long way to ensure nobody but you can access it. Anything you do or track within Lunatask is your business only.

End-to-end data encryption

All the data you type into Lunatask, whether it is the name of the task, a note, name of the area, or habit is encrypted at your machine before it is sent to be stored in our cloud. The private key (a secret) used to encrypt your data is derived from the master password you chose during sign-up. No private key nor master password is ever transmitted out of your machine.

What algorithms does Lunatask use for encryption?

Lunatask uses a combination of Curve25519, Salsa20, and Poly1305 using NaCl networking and cryptography library, together with argon2id as a key derivation function.

What happens when I forget my master password?

Your master password is like a key to the vault. If the key is lost, there's no way to get into the vault. The only solution in case of a forgotten password is resetting your account since we keep no backdoor. This way you can set up a new master password, but your previous data will be lost. Please, contact us and we'll promptly reset your account, if needed.

Encryption of all communication

All communication with Lunatask cloud is performed over a strong SSL. All requests are forced to use HTTPS protocol with the latest and most secure TLS 1.3 to prevent anyone down the road from listening to the communication (like your ISP).

Protection from data breaches

Unfortunately, attackers do not sleep. Lunatask uses multiple Web Application Firewalls (WAF) to analyze all traffic to our cloud. If unusual activity is detected, like a security scan by the attacker, the request and IP address the request is coming from is immediately and automatically blocked. The WAF solutions are provided to us by Cloudflare and Sqreen.

Please, contact us if you suspect that you are being blocked by any of our WAF, such as when using the Public API, by mistake.

Vulnerability monitoring

Our automated vulnerability monitoring system alerts us when a new vulnerability is identified in any library or framework we use. We act as soon as a vulnerability is reported.

User tracking and product analytics

Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily.

The same approach applies to our website. We do not track our website visitors using technologies like cookies, nor do we share user information with Google through tools such as Google Analytics.

Trusted sources

You can get Lunatask from many different sources on the internet. You can trust that the application downloaded from the following sources was not modified as the sources are maintained by us. Here is the list of trusted sources:

All versions of Lunatask for Mac distributed by us are signed using our certificates. If you don't receive a Gatekeeper warning when running the app, you can trust this application version.

Currently, we don't cryptographically sign builds of Lunatask for Windows. If your downloaded Lunatask for Windows from any trusted source above, you can safely ignore Windows Defender warning.