Security, Privacy and GDPR FAQs

Available for:

Have a question about our security, terms of service, privacy policy or GDPR compliance? Read on for answers:

Q: What is the GDPR?

The General Data Protection Regulation (GDPR) is an upcoming regulation designed to help citizens and residents of the European Union (EU) protect their personal data by specifying how such data may be collected, processed and stored. At Doist, we’re planning to be fully compliant by May 25th, 2018.

Q: Is Doist GDPR compliant?

A: The plan is for Doist and our services, Todoist and Twist, to be fully compliant with the GDPR by May 25th, 2018.

Q: Will our customers be able to use Doist products and services without risking a breach of the GDPR?

A: Yes, from our end. Of course, if your customers are in a location where the GDPR applies, they will need to make sure their business operation is compliant with the GDPR in its own right.

Q: What types of personal data does Doist collect?

A: When registering for Todoist and Twist you voluntarily give us information such as your name and email address. You can access and update this information at any time in your personal Account Settings.

In addition, when you use our services, you give us the consent to use the following data:

      • Email
      • IP address
      • Device ID
      • Name Surname (optional, not processed)
      • Job (optional, not processed)
      • Phone number (optional, not processed)
      • VAT ID (optional)
      • Invoice address (for Premium accounts)

Q: Why does Doist collect personal data?

A: The data we collect is required for us to provide you with our services and is used to improve Twist and Todoist.

Q: How can I access and export my personal data?

A: We provide full access to data via our API which allows you to obtain the personal data that was provided to us and/or transfer it to another controller. You can find our API for Twist and Todoist here:

Please note that payment information and integrations are not available via our API. In the case you want to obtain this information, please contact our support team.

Q: How does Doist process data?

A: Doist is considered a Data Processor which means that Doist controls how your user data is processed and is responsible for the data to be processed within GDPR regulations. Although Doist owns the code, databases, and all rights to the Todoist and Twist applications, you retain all rights to your data.

When it’s absolutely necessary, we use GDPR-compliant third party services and hosting partners such as Stripe, AWS and Google G-Suite. In these cases, we take the necessary safeguards to ensure that we are GDPR compliant when sending and receiving data from the third party.

Check out Todoist’s security and privacy policies and Twist’s security and privacy policies for more information.

Q: Do you process any Data outside the EU?

A: Yes, we do. We process data in North Virginia, USA using Amazon Web Services (AWS). We only collect as little data as possible, and all data is encrypted using AES 256 encryption.

Q: Do you ever sell any data?

A: No, we never sell data.

Q: How long do you store personal data?

A: We store personal data that has been given to us voluntarily in our servers for as long as your account is active with the exception of file uploads which are only removed when the associated task comment is explicitly deleted. File uploads can be deleted upon request by contacting our support team and providing them with the link to the particular file. In accordance with the GDPR, your data will be erased as soon as possible. The latest the data will be deleted is one month after receipt of the deletion request.

Q: Does Doist offer a Data Processing Agreement (DPA)?

A: While we can’t sign DPA’s yet, we intend to offer one that will be effective by May 25th, when GDPR comes into effect. If you want to receive a DPA from us once it’s ready, please contact our support team.

Q: How is personal data protected?

A: We restrict staff access to personal data to a very small number of employees those who need access for specific reasons to improve Todoist and Twist.

We regularly test, assess and evaluate the effectiveness of our processes and technology.

We use encryption to safeguard data.

Q: How is personal data encrypted?

A: When user data is stored in servers and databases, Doist uses AES 256 encryption. When the data is being sent or received, it is encrypted with TLS 1.1 or above. Data backups on our server are encrypted with AES256 and signed by RSA with 2048 key length.

Additionally, Todoist creates automatic backups within the app on a daily basis for Premium and Business users. We take the necessary safeguards to ensure that these are well protected by maintaining a security system that prevents unauthorized access.

Since GDPR has various requirements, your compliance needs will depend on your precise circumstances. If you have specific questions or needs, please contact the support team.