Your Todoist account holds your tasks, projects, and personal data. Here's how we protect your information and how you can keep your account safe.

How is my data protected?

All data transmitted between your device and Todoist is encrypted using TLS (Transport Layer Security). Data at rest is also encrypted. Todoist data is stored on secure cloud infrastructure, and Doist complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

For full details on our security measures, data storage locations, compliance certifications, Data Processing Agreement (DPA), and sub-processor list, visit our Trust Center.

How do I secure my account?

There are a few steps you can take to keep your account safe:

• Use a strong, unique password. Here's how to strengthen your Todoist account password.
• Add an extra layer of protection with two-factor authentication (2FA). Learn how to set up two-factor authentication.
• Lost access to your authenticator app or can't log in? Check out how to troubleshoot two-factor authentication.

Can I export or delete my data?

You have full control over your data:

• Todoist creates automatic daily backups you can download at any time. Check out how to download or restore backups.
• You can delete your account and all associated data whenever you'd like. Here's how to delete your Todoist account.

I can't log in to my account

If you're having trouble logging in, try these steps:

1. Reset your password and check your inbox (including spam) for the reset email.
2. Make sure you're using the correct email address. If you signed up with Google or Apple, use that method to log in instead.
3. Try logging in via the web app to rule out device-specific issues.

For more help, check out how to log in or out of Todoist.

Why am I being asked to reset my password?

Todoist checks email addresses and passwords against the Have I Been Pwned database during login. This is a database that tracks publicly disclosed data breaches. If your credentials appear in a known breach, Todoist considers that login insecure and will ask you to reset your password.

To resolve this:

1. Reset your password.
2. Choose a strong, unique password you don't use anywhere else.

You can also check whether your email or password appears in any known breaches on the same site. If your password is listed there, you won't be able to use it to log in to Todoist.

What should I do if I suspect unauthorized access?

If you notice unexpected activity on your account or believe someone else may have gained access, take these steps to secure it:

1. Log in to your Todoist account via the web app at todoist.com.
2. Click your avatar in the top-left corner.
3. Go to Settings.
4. Select the Integrations tab > Developer.
5. Click Issue a new API token and confirm by clicking OK.

This logs you out of all active sessions across all devices. You'll need to log back in with your password afterward.

Once you've done that, strengthen your Todoist account password to make sure you're using something unique to Todoist. We recommend using a password manager to generate a unique, hard-to-guess password.

If you no longer need your account or didn't create one intentionally, you can delete your Todoist account.

Someone created an account with my email

Todoist requires email verification before an account can be activated. If someone used your email to create an account, it can't be accessed or used without clicking the verification link sent to your inbox.

If you didn't verify the account, it remains inactive and no one can log in or use it. If you'd like the inactive account removed entirely, get in touch with us and we'll delete it for you.

I can't access the email linked to my account

If you're still logged in to Todoist on any device, you can change your email in Settings > Account. Follow the steps in change your email address.

If you're not logged in on any device, get in touch with us and we can verify your identity through the payment method associated with the account. Be ready to confirm details like the last 4 digits of your card, recent charge amount, or plan name. Free plan users without access to their email will need to create a new account with a different email address.

Troubleshoot missing projects, tasks, comments, or other data

If you notice missing data, like projects, tasks, or comments, this is usually a sync issue. Your data is safe but may not have synced to the device you're currently using.

Follow the steps in troubleshoot syncing issues in Todoist to resolve it. You can also download or restore backups at any time since Todoist saves daily backups automatically.

Is this email really from Todoist?

Todoist only sends emails from addresses ending in @todoist.com or @doist.com. If you receive a suspicious email claiming to be from Todoist, don't click any links in it. Get in touch with us with a screenshot and we'll confirm whether it's legitimate.

How do I report a security vulnerability?

If you've found a security vulnerability in Todoist, we'd like to hear about it. Check out our bug bounty policy for details on how to submit a report and what's in scope.

Learn more

Visit our Trust Center for detailed information on compliance certifications, infrastructure, data processing practices, and our security policies.

If you have questions about security, privacy, or need help with your account, get in touch with us. We're happy to help.