Loading the new Help Center

Security, privacy and GDPR FAQ

Available for:

Have a question about our security, terms of service, privacy policy or GDPR compliance? Read on for answers:

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation designed to help citizens and residents of the European Union (EU) protect their personal data by specifying how such data may be collected, processed and stored. At Doist, we're fully compliant as of May 25th, 2018.

Is Doist GDPR compliant?

Yes. Doist and our services, Todoist and Twist, are fully compliant with the GDPR as of May 25th, 2018.

Are our customers able to use Doist products and services without risking a breach of the GDPR?

Yes, from our end. Of course, if your customers are in a location where the GDPR applies, they need to make sure their business operation is compliant with the GDPR in its own right.

What types of personal data does Doist collect?

When registering for Todoist and/or Twist you voluntarily give us information such as your name and email address. You can access and update this information at any time in your personal Account Settings.

In addition, when you use our services, you give us the consent to use the following data:

      • Email
      • IP address
      • Device ID
      • Name and surname (optional, not processed)
      • Job (optional, not processed)
      • Phone number (optional, not processed)
      • VAT ID (optional)
      • Invoice address (for Pro and Business accounts)

Why does Doist collect personal data?

The data we collect is required for us to provide you with our services and is used to improve Twist and Todoist.

How can I access and export my personal data?

To have your personal data exported, please contact our Customer Experience team.

We provide full access to data via our API, allowing you to obtain the personal data that was provided to us and/or transfer it to another controller. You can find our API for Twist and Todoist here:



Please note that payment information and integrations are not available via our API. In the case you want to obtain this information, please contact our Customer Experience team.

How does Doist process data?

Doist is considered a Data Processor which means that Doist controls how your user data is processed and is responsible for the data to be processed within GDPR regulations. Although Doist owns the code, databases, and all rights to the Todoist and Twist applications, you retain all rights to your data.

When it’s absolutely necessary, we use GDPR-compliant third party services and hosting partners such as Stripe, AWS and Google Workspace. In these cases, we take the necessary safeguards to ensure that we are GDPR compliant when sending and receiving data from the third party.

Check out Todoist’s security and privacy policies and Twist’s security and privacy policies for more information.

Do you provide a list of relevant third party services?

Yes. When necessary, we use the following GDPR-compliant third party services:

  • Amazon Web Services
  • Baremetrics
  • CloudBees Rollout
  • Datadog
  • Facebook
  • Firebase
  • Google Analytics
  • MailChimp
  • Mailgun
  • Microsoft Azure
  • Microsoft Visual Studio App Center
  • PartnerStack
  • PayPal
  • ProfitWell
  • SendGrid
  • Sentry
  • Stripe
  • Zendesk

Do you process any Data outside the EU?

Yes, we do. We process data in North Virginia, USA using Amazon Web Services (AWS). We only collect as little data as possible, and all data is encrypted using AES 256 encryption.

Do you ever sell any data?

No, we never sell data.

Do you store any personal data once I've deleted my account?

Upon deleting your account, all your personal data will be removed from our production systems. Only an encrypted copy of your data will remain on our backup archives for 90 days. After this period, all data associated with your account will be deleted permanently. Please note that we don't provide the encrypted copy from our backup archives upon request. 

Does Doist offer a Data Processing Agreement (DPA)?

Yes. We offer a DPA that has been pre-signed on behalf of Doist. It can be completed by filling out your details and signing it here.

How is personal data protected?

We restrict staff access to personal data to a very small number of employees who need access for specific reasons to improve Todoist and Twist.

We regularly test, assess and evaluate the effectiveness of our processes and technology.

We use encryption to safeguard data.

How is personal data encrypted?

When user data is stored in servers and databases, Doist uses AES 256 encryption. When the data is being sent or received, it is encrypted with TLS 1.1 or above. Data backups on our servers are encrypted with AES256 and signed by RSA with 2048 key length.

Additionally, Todoist creates automatic backups within the app on a daily basis for Pro and Business users. We take the necessary safeguards to ensure that these are well protected by maintaining a security system that prevents unauthorized access.

Since GDPR has various requirements, your compliance needs will depend on your precise circumstances. If you have specific questions or needs, please contact our Customer Experience team.

How is my content protected? Can you read my content?

User content, such as tasks and comments, resides in our data stores, which get shielded from internet traffic, and have a strict access policy inside the company. Access to it is audited, requires multiple layers of authentication, and is only allowed for a valid business purpose. In other words, there's no way for any entitled internal employee to access it without others knowing.

The need to access user content is pretty rare. However, it can happen in the context of a Customer Experience case. For example:

  • When a user engages the Customer Experience team to recover voluntarily deleted tasks.
  • To troubleshoot content synchronization conflicts in shared (multi-user) projects.

Are the deleted tasks also deleted from your servers?

Yes, after a while. The system first marks records as deleted before actually deleting them. Soft deletions ensure content is inaccessible by client applications. Hard deletions occur later, deferred in time.
The system's behavior supports our multi-device synchronization mechanisms. Records marked as deleted help synchronization algorithms to perform data state conflict resolution.

User content is also present in database backups. They exist for business continuity, in case we ever face a disastrous scenario of data loss, a long period of data unavailability, or data corruption. All data, including backups, are kept encrypted at rest. To date, we have never needed to use database backups.

Database backups do not allow access to each user's data. Instead, we can restore them into a live database, where regular data access controls apply. The backups are rotated automatically and won't last more than 94 days.