What makes a task manager 'privacy-focused'?

Not a privacy policy — an architecture. A genuinely private task manager keeps the authoritative copy of your tasks on your device, needs no account, sends no telemetry, and ideally is open-source so the claim can be checked. 'We don't sell your data' is a promise; 'your data never leaves your phone' is a property of how the app is built. Judge on the second.

Is local-first the same as private?

Closely related but not identical. Local-first means the real copy of your data lives on your device, so there's nothing on a server to leak — that's a strong privacy foundation. But 'local' describes where data lives, not whether it's encrypted. Data sitting in plain text on a lost, unencrypted phone isn't private. The strongest setups are local-first AND rely on device-level encryption (or add their own).

Are end-to-end-encrypted cloud apps private too?

Yes, in a different way. With end-to-end encryption (E2EE), your data is encrypted on your device before it's uploaded, so the vendor stores ciphertext they can't read. That's a legitimate privacy model — Joplin, Standard Notes, and Obsidian Sync all use it — and it buys you multi-device sync that pure local-only apps can't match. The tradeoff: your data still leaves the device, and you're trusting the encryption was implemented correctly. Local-only means there's simply nothing to upload.

Do I need to pay for a private task manager?

Usually not. Privacy-respecting apps tend to be free or one-time purchases precisely because they don't run servers that cost money every month. Local processing happens on hardware you already own. Several apps in this guide — Trayzero, Tasks.org, Orgzly Revived, Super Productivity — are free and open-source. Paid tiers, when they exist, are typically for optional encrypted sync, not for privacy itself.

Which is the most private task manager?

The one that transmits the least. An app that needs no account, keeps tasks in an on-device database, and ships no analytics has almost nothing to expose. Among the apps here, the local-only options (Trayzero, Orgzly Revived, Tasks.org in local mode) expose the least by default; the E2EE-cloud options (Joplin, Standard Notes) trade a little exposure for sync. Match the model to whether you need multi-device.

Best privacy-focused task managers (data stays on your device)

Search "privacy task manager" and you'll get a wall of apps that all say the same thing: we respect your privacy, we don't sell your data. That sentence is on the landing page of nearly every cloud app too — including the ones that have been breached. A privacy policy is a promise about what a company chooses to do with the data it holds. The question that actually protects you is different: what data does the app hold in the first place, and where?

This guide judges task managers on that question. Not on marketing — on architecture you can check. The good news for the privacy-conscious is that the best options here are mostly free and several are open-source, so the claims aren't something you have to take on faith.

What "privacy-focused" actually means for a task app

Your task list is more revealing than it looks. It's a running log of where you'll be, who you owe work to, what you're worried about, what you're buying, and what you're treating for. A truly private task manager treats that as data that should never need to leave your control. In practice that means five things you can verify:

No account required. If there's no sign-up, there's no email, no profile, and no identifier to transmit or leak. The absence of an account is the cleanest privacy signal an app can send. (More on why a task app shouldn't need an account.)
On-device storage. The authoritative copy of your tasks should live on your phone or computer — not as a cached view of something on a vendor's server. This is the local-first property, and it's the foundation everything else sits on.
No telemetry by default. Plenty of "private" apps still phone home with analytics, crash reports, and usage events. The privacy-respecting default is nothing — or, at most, anonymous crash reporting that is clearly disclosed and off until you turn it on.
Encryption — and be precise about which kind. There are two: encryption at rest (your data on the device is encrypted) and encryption in transit/E2EE (data is encrypted before it's synced anywhere). They solve different threats. Don't let one stand in for the other.
Auditability. If the code is open-source, the privacy claims can be checked by anyone, not just believed. It's the difference between "trust us" and "verify us."

The honest distinction nobody draws clearly

The single most important thing to understand before picking an app: "local" and "encrypted" are not the same promise, and the strongest privacy comes in two different flavors.

Local-only. The data never leaves your device unless you explicitly export it. There's no server copy to breach, subpoena, sell, or train a model on, because there's no server copy at all. The catch, as the local-first vs cloud breakdown spells out, is that local describes location, not protection. Data on a stolen, unencrypted phone is exposed regardless of how local-first the app is. Most local-only apps — including the ones below — lean on the operating system's full-device encryption rather than encrypting the task database themselves, so a phone with a passcode and modern OS encryption is the real safeguard.

End-to-end-encrypted cloud. Here data does leave your device — but it's encrypted first, with a key the vendor never holds, so what lands on the server is ciphertext nobody but you can read. This is a genuinely private model, and it solves the one thing local-only can't: seamless multi-device sync. The tradeoffs are that your (encrypted) data is still uploaded, and you're trusting the encryption was built correctly.

Neither flavor is "more private" in the abstract. Local-only minimizes what exists; E2EE-cloud protects what travels. Pick by whether you need sync.

The apps

Trayzero — local-only, no account, mobile

Trayzero is built around the local-only model and takes it to the default. Your tasks live in an on-device SQLite database; there's no account, no server, and no analytics. Crash reporting exists but is anonymous and off by default — nothing about your tasks is transmitted unless you go looking for the toggle and flip it. Backups are plain JSON files you control, so your data is portable and readable outside the app. It's open-source (GPLv3), so all of that is verifiable.

The honest limits: Trayzero is mobile-only — Android and iOS, no desktop app — and it's single-device by design (you move data via the JSON backup rather than syncing). Like most apps in this list, it relies on your phone's device-level encryption rather than encrypting the database itself. If you want a focused, account-free GTD system that keeps your tasks where your phone is and nowhere else, that's exactly the niche it fills.

Everdo — local-first GTD that also syncs, with encryption

Everdo is the closest thing to a "has it both ways" option for GTD purists. It's local-first and runs fully offline with no account — but it also offers end-to-end-encrypted sync (and a paid one-time Pro license unlocks sync plus other extras). Crucially, it's truly cross-platform: Windows, Mac, Linux, Android, and iOS.

This is where Everdo wins outright over Trayzero and the mobile-only apps: if you work on a desktop and want encrypted multi-device sync without a subscription, Everdo is hard to beat. The tradeoffs: it's not open-source, so the privacy claims rest on trust rather than audit, and the most useful sync/encryption features sit behind the paid license.

Tasks.org — open-source, self-hostable, your sync your rules

Tasks.org is a GPLv3 Android app that stores tasks in a local database and lets you decide if and how they sync. You can stay local-only, sync over CalDAV to a server you control, or use end-to-end-encrypted backends like EteSync — and none of it requires handing data to Tasks.org itself (they offer an optional paid hosted server, but it's exactly that: optional).

It's one of the most privacy-flexible options here precisely because it doesn't make the sync decision for you. The catch: it's Android-only, and getting self-hosted or E2EE sync working is more setup than a typical user wants. For a technical user who wants open-source plus control over where data goes, it's a standout.

Orgzly Revived — plain text, zero collection

Orgzly Revived (the community-maintained successor to Orgzly) stores everything as plain-text org-mode files on your device, and its privacy policy states plainly that it doesn't collect or share any user data. Sync, if you want it, is your choice: a local directory, SD card, WebDAV, or Dropbox. It's free and open-source.

The plain-text format is the privacy feature here — your tasks are human-readable files no app can lock away, and they'll outlive any single program. The limits: it's Android-only, and org-mode is a power-user format with a real learning curve. If you already live in plain text, this is a natural fit; if not, it's a steep entry.

Joplin — the end-to-end-encrypted contrast

Joplin is here to represent the E2EE-cloud model done well. It's open-source, cross-platform (desktop and mobile), and its sync — across Dropbox, OneDrive, WebDAV, Nextcloud, S3, or Joplin Cloud — can be end-to-end encrypted, so the sync provider only ever holds ciphertext. It's notes-first with solid to-do support rather than a dedicated GTD app.

If multi-device sync is non-negotiable and you accept the E2EE model, Joplin is a strong, auditable choice. The honest framing: this is the "data leaves your device" approach — encrypted, but uploaded. That's a different bargain than the local-only apps above, not a strictly better one.

Obsidian + a tasks plugin — local vault, DIY

Obsidian stores everything in a local folder of plain Markdown files, needs no account for personal use, and — with the community Tasks plugin — becomes a capable task system that keeps the same local, no-vendor-in-the-middle posture as the vault underneath it. Sync is optional: Obsidian's own paid E2EE Sync, or community options like self-hosted LiveSync.

It's cross-platform and extremely flexible. Two caveats for the privacy-strict: the Obsidian app itself is not open-source (the plugins are), and turning it into a real GTD workflow is a build-it-yourself project, not an out-of-the-box experience.

Also worth knowing: Super Productivity (open-source, local-first, optional WebDAV/Dropbox sync, desktop + Android) and Standard Notes (E2EE-first, with checklists/tasks) are both reasonable picks in the same spirit.

Side by side

App	Platforms	Account	Default storage	Sync	Open-source
Trayzero	Android, iOS	None	On-device, local-only	None (JSON backup)	Yes (GPLv3)
Everdo	Win, Mac, Linux, Android, iOS	None	Local-first	Optional, E2EE (paid)	No
Tasks.org	Android	None	Local DB	Optional: CalDAV / E2EE / self-host	Yes (GPLv3)
Orgzly Revived	Android	None	Local plain-text (.org)	Optional: WebDAV / Dropbox	Yes
Joplin	Desktop + mobile	Only for sync	Local + E2EE cloud sync	Built-in, E2EE optional	Yes
Obsidian + Tasks	Desktop + mobile	None (personal)	Local Markdown vault	Optional, E2EE (paid)	App: no / plugins: yes

No column wins every row. Everdo and Joplin win on cross-platform sync; Trayzero, Tasks.org, and Orgzly win on minimizing what exists in the first place. The table is a map of which app buys which property — so you can choose on purpose.

Where Trayzero lands

Trayzero is the strict local-only pick: no account, an on-device database, no telemetry by default, and open-source code so none of that has to be taken on faith. It's purpose-built for GTD — fast inbox capture and processing and a weekly review you run on data that's always on your phone, online or not. Every feature is free with no subscription; optional tips and a supporter purchase exist, but nothing is gated behind them, because there's no server bill to fund.

The honest fit: Trayzero is mobile-only and single-device by design. If you need encrypted sync across a desktop and a phone, Everdo or Joplin will serve you better. But if your definition of private is "my tasks are on my phone and nowhere else, and I never had to sign up for anything" — that's the exact problem Trayzero is built to solve.

Free on Google Play and the App Store.

Trayzero is an independent app inspired by the GTD methodology. "Getting Things Done" and "GTD" are trademarks of the David Allen Company.