How does Lunatask protect your data?
Even we don't have access to your data. We went a long way to ensure nobody but you can access it. It is our belief that our implementation is the safest way to provide you the service in its current form, even compared to enterprise-grade cloud software. Anything you do or track within Lunatask is your business only.
All the data you type into Lunatask, whether it is the name of the task, a note, name of the area, or habit is encrypted at your machine before it is sent to be stored in our cloud. The private key (a secret) used to encrypt your data is derived from the master password you chose during sign-up. No private key nor master password is ever transmitted out of your machine.
Lunatask uses a combination of Curve25519, Salsa20, and Poly1305 using NaCl networking and cryptography library, together with argon2id as a key derivation function.
Your master password is like a key to the vault. If the key is lost, there's no way to get into the vault. The only solution in case of a forgotten password is resetting your account since there is no backdoor. This way you can set up a new master password, but your previous data will be lost. Please, contact us and we'll promptly reset your account, if needed.
All communication with Lunatask cloud is performed over a strong SSL. All requests are forced to use HTTPS protocol with the latest and most secure TLS 1.3 to prevent anyone down the road from listening to the communication (like your ISP).
Our SSL settings are graded A in an independent SSL test by SSL Labs.
Unfortunately, attackers do not sleep. Lunatask uses multiple Web Application Firewalls (WAF) to analyze all traffic to our cloud. If unusual activity is detected, like a security scan by the attacker, the request and IP address the request is coming from is immediately and automatically blocked. The WAF solutions are provided to us by Cloudflare and Sqreen.
Please, contact us if you suspect that you are being blocked by any of our WAF, such as when using the Public API, by mistake.
Our automated vulnerability monitoring system alerts us when a new vulnerability is identified in any library or framework we use. We act as soon as a vulnerability is reported.
Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily.
The same approach applies to our website. We do not track our website visitors using technologies like cookies, nor do we share user information with Google through tools such as Google Analytics.