Encryption & Security

How does Lunatask protect your data?

Even we don't have access to your data. We went a long way to ensure nobody but you can access it. Anything you do or track within Lunatask is your business only.

End-to-end data encryption

All the data you type into Lunatask, whether it is the name of the task, a note, name of the area, or habit is encrypted at your machine before it is sent to be stored in our cloud. The private key (a secret) used to encrypt your data is derived from the master password you chose during sign-up. No private key nor master password is ever transmitted out of your machine.

What happens when I forget my master password?

Your master password is like a key to the vault. If the key is lost, there's no way to get into the vault. The only solution in case of a forgotten password is resetting your account since we keep no backdoor to your encrypted data. This way, you can set up a new master password, but you'll lose your existing data in your account. Please, contact us and we'll promptly reset your account if needed.

What algorithms does Lunatask use for encryption?

Lunatask uses a combination of Curve25519, XSalsa20, and Poly1305, together with argon2id as a key derivation function.

Email address anonymization

We understand if you don't want to share your email address with us. We recommend using tools like Simple Login or AnonAddy to anonymize your email address.

Encryption of all communication

All communication with Lunatask cloud is performed over a strong SSL. All requests use HTTPS protocol with the latest and most secure TLS 1.3 to prevent anyone from listening to the communication (like your ISP) down the road.

Protection from data breaches

Unfortunately, attackers do not sleep. Lunatask uses multiple Web Application Firewalls (WAF) to analyze all traffic to our cloud. , The request is automatically blocked if unusual activity is detected, like a security scan by the attacker. The WAF solution is provided to us by Cloudflare and Sqreen.

Please, contact us if you suspect that any of our WAF is blocking you by mistake, such as when using the Public API.

Vulnerability monitoring

Our automated vulnerability monitoring system alerts us when a new vulnerability is identified in any library or framework we use. We act as soon as we receive the report.

User tracking and product analytics

Most companies use in-app tracking solutions to learn how their users interact with their features and use this information to improve the product itself. However, we chose not to collect such information and rely solely on user feedback provided to us voluntarily.

The same approach applies to our website. We do not track our website visitors using technologies like cookies or we share user information with Google through tools such as Google Analytics.

Third-party data

Lunatask allows you to connect your calendar and see your calendar events directly next to your tasks. When you decide to do so, all communication is always done from your machine directly to the calendar service you're using. Your calendar data is never transmitted through Lunatask infrastructure, and we don't have access to this data.

Trusted sources

You can get Lunatask from many different sources on the internet. You can trust that the application downloaded from the following sources was not modified as we maintain the sources. Here is the list of trusted sources:

All versions of Lunatask for Mac distributed by us are signed using our certificates. Therefore, you can trust this version if you don't receive a Gatekeeper warning when running the app.

Currently, we don't cryptographically sign builds of Lunatask for Windows distributed outside of the Microsoft Store. Therefore, when you download Lunatask for Windows from any trusted source above, you can safely ignore the Windows SmartScreen warning.