Security, Privacy and GDPR FAQ

Have a question about our security, terms of service, privacy policy or GDPR compliance? Read on for answers:

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation designed to help citizens and residents of the European Union (EU) protect their personal data by specifying how such data may be collected, processed and stored. At Doist, we’re fully compliant as of May 25th, 2018.

Is Doist GDPR compliant?

Yes. Doist and our services, Todoist and Twist, are fully compliant with the GDPR as of May 25th, 2018.

Are our customers able to use Doist products and services without risking a breach of the GDPR?

Yes, from our end. Of course, if your customers are in a location where the GDPR applies, they will need to make sure their business operation is compliant with the GDPR in its own right.

What types of personal data does Doist collect?

When registering for Todoist and Twist you voluntarily give us information such as your name and email address. You can access and update this information at any time in your personal Account Settings.

In addition, when you use our services, you give us the consent to use the following data:

      • Email
      • IP address
      • Device ID
      • Name and surname (optional, not processed)
      • Job (optional, not processed)
      • Phone number (optional, not processed)
      • VAT ID (optional)
      • Invoice address (for Unlimited accounts)

Why does Doist collect personal data?

The data we collect is required for us to provide you with our services and is used to improve Twist and Todoist.

How can I access and export my personal data?

We provide full access to data via our API which allows you to obtain the personal data that was provided to us and/or transfer it to another controller. You can find our API for Twist and Todoist here:



Please note that payment information and integrations are not available via our API. In the case you want to obtain this information, please contact our support team.

How does Doist process data?

Doist is considered a Data Processor which means that Doist controls how your user data is processed and is responsible for the data to be processed within GDPR regulations. Although Doist owns the code, databases, and all rights to the Todoist and Twist applications, you retain all rights to your data.

When it’s absolutely necessary, we use GDPR-compliant third party services and hosting partners such as Stripe, AWS and Google Workspace. In these cases, we take the necessary safeguards to ensure that we are GDPR compliant when sending and receiving data from the third party.

Check out Todoist’s security and privacy policies and Twist’s security and privacy policies for more information.

Do you provide a list of relevant third party services?

Yes. When necessary, we use the following GDPR-compliant third party services:

  • Amazon Web Services
  • Google Analytics
  • Zendesk
  • SendGrid
  • Mailgun
  • Paypal
  • Stripe
  • Microsoft Azure
  • Microsoft Visual Studio App Center
  • Fabric (Crashlytics)
  • Baremetrics
  • MailChimp

Do you process any Data outside the EU?

Yes, we do. We process data in North Virginia, USA using Amazon Web Services (AWS). We only collect as little data as possible, and all data is encrypted using AES 256 encryption.

Do you ever sell any data?

No, we never sell data.

Do you store any personal data once I've deleted my account?

Upon deleting your account, all your personal data will be removed from our production systems. Only an encrypted copy of your data will remain on our backup archives for 90 days. After this period, all data associated with your account will be deleted permanently.

Does Doist offer a Data Processing Agreement (DPA)?

Yes. We offer a DPA that has been pre-signed on behalf of Doist. It can be completed by filling out your details and signing it here.

How is personal data protected?

We restrict staff access to personal data to a very small number of employees those who need access for specific reasons to improve Todoist and Twist.

We regularly test, assess and evaluate the effectiveness of our processes and technology.

We use encryption to safeguard data.

How is personal data encrypted?

When user data is stored in servers and databases, Doist uses AES 256 encryption. When the data is being sent or received, it is encrypted with TLS 1.1 or above. Data backups on our server are encrypted with AES256 and signed by RSA with 2048 key length.

Since GDPR has various requirements, your compliance needs will depend on your precise circumstances. If you have specific questions or needs, please contact the support team.