Zero-knowledge habit tracking. Your growth belongs to you.

byβ€’

Hi Product Hunt! πŸ‘‹

I'm Mark, solo dev and co-founder of β€” a privacy-first public benefit company.

Habit tracking is personal. Your goals, your struggles, your progress β€” that's some of the most intimate data you can generate about yourself. So why does every habit tracker out there store it in plaintext on their servers?

is a zero-knowledge encrypted habit tracker. Your data is encrypted in your browser before it ever leaves your device. The server never sees your habits, your goals, or your progress. Not even we can read it.


How it works:

  • Password-derived public-key cryptography runs entirely in the browser

  • End-to-end encryption by default on every plan β€” not a premium add-on

  • The server stores only encrypted blobs it can never decrypt

What you get:

  • Habits & streaks β€” build consistency and track your check-ins

  • Reflections β€” journal on your progress privately

  • Goals & milestones β€” set targets and track meaningful progress

  • Schedule / calendar β€” plan your habits around your life

  • Progress insights β€” see how you're actually doing over time

  • Family groups β€” up to 6 people with shared habits, shared goals, and a group dashboard

  • Data export β€” your data, your way out. Always.

Every plan gets E2E encryption. The free tier gives you 5 habits with 7 days of history and full streak tracking β€” no credit card, no catch. Paid plans unlock unlimited habits, full history, reflections, goals, insights, and family features.


Why I built this:

I believe privacy is foundational to how we grow as people. You can't reflect honestly or push yourself if you know someone's watching. Metamorphic is built to give you that space.

It's built with Elixir and Phoenix LiveView, bootstrapped with zero investors, and run as a public benefit company β€” so the incentive is always the product, never your data.

I also built , a privacy-first social network with E2EE messaging and Bluesky interop, using the same encryption architecture that inspired Metamorphic.

Launch offer: Use code PH20SAVE for 20% off 6 months (good until April 30, 2026 at 11:59pm).

Would love to hear what you think β€” happy to answer any questions about the zero-knowledge architecture or anything else. πŸ™

181 views

Add a comment

Replies

Best

What happens if a user forgets their password completely?

Great question β€” this is the tradeoff that comes with real zero-knowledge encryption. If you forget your password completely and haven't set up a recovery code, your encrypted data is unrecoverable. We can't decrypt it for you because we never had the ability to.

That said, we make it easy to protect yourself: during signup you can generate a recovery code in settings. If you ever forget your password, that recovery code lets you reset it and re-encrypt your data. We also encourage storing it somewhere safe like a password manager.

It's a similar model to Proton Mail β€” real privacy means only you hold the keys. πŸ”

Is there any performance hit from doing everything in browser?

Β No noticeable performance hit. The heavy crypto (key derivation) only happens once at login. After that, decrypting each item uses NaCl/libsodium compiled to WebAssembly β€” each decrypt takes under a millisecond. Loading a page with dozens of items adds maybe 10-20ms of total decrypt time. Any performance hit you might notice is minimal and will be more noticeable due to general internet latency.

I personally like the idea of ownership over data, but I would still hesitate if onboarding feels even slightly fragile.

Β Thanks Noah β€” that's a really valid concern. Onboarding is something we've put a lot of thought into precisely because of this tension. The encryption setup happens transparently during sign-up β€” you create an account with email and password like any other app, and all the key generation happens automatically in the background. There's no key management, no seed phrases, nothing extra to configure.


The one intentional friction point is the recovery key β€” we prompt you to save it after sign-up in case you ever forget your password, since we can't reset it for you (by design). But day-to-day usage feels like any other habit tracker.

Would love to know how it went for you.

Can users audit or verify the encryption implementation?

Β Yes β€” the client-side encryption is verifiable right now in your browser.

But, thank you for this question, because we just released a page explaining how our encryption works and how people can verify:

All encryption and decryption happens in JavaScript that ships to your browser. You can open DevTools, inspect the source, and see exactly what's happening. The crypto code uses libsodium-wrappers-sumo (a well-audited, widely-used NaCl implementation) β€” not custom cryptography. You can verify:

  • Network tab: No plaintext user data ever leaves the browser. You'll see only encrypted blobs in requests.

  • Source tab: The crypto modules (key generation, encryption, decryption) are all in the client-side JS bundle.

  • sessionStorage: Your derived keys live only in your browser session β€” the server never receives them.

We use standard, proven primitives: XSalsa20-Poly1305 for symmetric encryption, X25519 for key exchange, and Argon2id for key derivation. No homegrown crypto.

The codebase is private today, but we're considering publishing the crypto modules independently so anyone can audit the encryption layer without needing access to the full app source. A formal third-party security audit is also on our roadmap.

Β That's solid, giving users a way to verify it themselves builds real trust

What made you choose this architecture over simpler ones?

Β Great question. It starts with my other app, . I was becoming a new dad and had just finished reading The Age of Surveillance Capitalism by Shoshana Zuboff -- and I wanted a better world for my little one. At the time I went with a trust-the-server model for Mosslet (which is fine -- the code is open source and you can verify it). But when I read about Meta rolling back end-to-end encryption on its direct messaging, it pushed me to implement real E2EE in Mosslet's messaging, built on an asymmetric, password-derived key architecture.

As for Metamorphic’s features itself, I was inspired by my partner who is always thinking of ways to improve, figuring out how to break old habits and form better ones β€” she’s passionate about psychology and behavior. And then it just made sense to me that something so personal as your habits/goals should be private to only you β€” and you shouldn’t have to worry about it being otherwise.

Β That's a strong reason, building it from values not just convenience

I played around with . I like the simple and clean UI. I hit my first 100% streak today simply because I went for a run this morning. Love it! I also love the idea of keeping my data safe from prying eyes, and appreciate any product that takes my privacy seriously.

I'm working on a zero-knowledge product myself, a financial tracker, and I've been back and forth on the decision of enabling the feature more than once.

I decided that end-2-end encryption should be part of the product core features. Hopefully I won't change my mind again, mostly because every time I do it takes me days to get everything to work as before.

, has it been the same for you? Aren't you worried about users/customers losing all their habit data and not being able to help them in any way? Bonus question: aren't you feeling like the odd one out not including AI in your product because E2EE and AI don't mix well?

Β Thank you β€” and congrats on your first 100% streak! That's the loop the whole product is built around. Also, it’s aimed at being simple and forgiving. You’ll notice confetti when you hit your first 7day streak, and the nudges when you are in a group with someone have a real positive surprise effect on the other person (at least in my experience).

On your three questions β€” happy to go deep, because these are exactly the calls every zero-knowledge builder has to make.

1. Is E2EE worth keeping in the core?

Yes β€” and I'd encourage you to hold the line on financial data especially. Financial behavior is one of the most sensitive datasets imo. If you've already done the architectural work to support it, that's compounding value you don't want to throw away. Every time you re-litigate the decision, you pay the migration tax twice (I’ve been there too). Build it in, document the tradeoffs honestly, and move on to features. The customers who care will be the ones worth keeping. Also, the more we build with zero-knowledge, privacy-first architectures in mind β€” the more we’ll start to innovate there too.

2. Worried about users losing their data because we can't recover it?

Yes, but it doesn’t keep me up at night, and I built around that constraint. A few things that I think help:

  • Password reset flows preserve data. When users reset their password, their data stays accessible β€” we use password-derived keys with a recovery mechanism that doesn't give us access to the cleartext.

  • Data export, always. Users can export everything at any time. The strongest user protection isn't us holding their data hostage β€” it's making sure they can walk out the door with it whenever they want.

  • Human readable recovery keys so people can be proactive to have a second layer of protection against accidental data loss due to forgotten passwords. All while remaining zero-knowledge.

  • Clear UX around the tradeoff. We're explicit during signup: this is zero-knowledge, which means you hold the key. The customers who choose us choose us partly because of that constraint, not despite it.

The worry never fully goes away, but I try to reframe it because what's the alternative? Being able to recover data because we hold the keys β€” that seems worse in terms of failure for the people who actually need privacy.

In your case, I would think failure is even higher-risk than a service like Metamorphic. Or take our other product, Mosslet (a social network), you could have journalists, abuse survivors, people with controlling family members, people in regulated industries.

The "we can recover anything" architecture is the architecture that gets subpoenaed, breached, or sold. Maybe you can protect it for a while, but it’s a hard thing to do the longer you stay in business. Being able to say, β€œOkay we got breached, but all they got was encrypted blobs that they can’t do anything with” β€” that seems better to me than β€œOkay β€” it happened to us too".

3. Feeling like the odd one out for not bolting on AI?

Sometimes it does seem like only AI-heavy products are getting attention. But, honestly? No. The opposite. And DuckDuckGo just saw huge adoption numbers after Google started force-feeding people AI, showing customers might still prefer choice and considerate design.

And in terms of privacy, AI-in-the-product almost always means "your data goes to a third-party model provider," which collapses zero-knowledge the moment you ship it. There are emerging patterns for on-device / WASM-resident inference that could preserve E2EE, and I'm watching that space β€” but I'm trying not to ship AI features that quietly undo all the wins for people from our privacy-first zk architecture β€” so I have to be slower perhaps than others in that space.

Although, I have started to use some WASM/on-device AI on Mosslet to get some of the automation benefits while preserving people’s privacy. I think that’s an area you may want to explore because there is some real value to the speed and automation you could achieve with AI models and financial data, you’d just want to ensure they’re running locally on the client-side with no exposure of people’s decrypted data.

I’ve heard people say the market will split to be either AI products or privacy products, but not both β€” I tend to push back a bit there. I think the more we develop privacy-first products then the more we will start to think about how we can make AI fit that model β€” and then we’ll have some real innovation. And hopefully also innovation around the production of AI (as it’s not a bright spot in my opinion).

Excited to follow your financial tracker β€” let me know when it's further along. The world needs more zero-knowledge product builders, not fewer. I’ve also recently open-sourced a lot of our tools to help others make zero-knowledge post-quantum architectures: (Rust available on crates.io and packaged in WASM on ) and (server-side not ZK but helpful for anyone migrating) for the Elixir folks with a architecture. My company, , does consulting too if you’re ever inclined for my direct help/support.🦦

The "your data never leaves your device" angle is genuinely differentiated, Mark. Most habit trackers treat privacy as a footnote in the settings page rather than the whole product thesis.

As a solo founder myself (building ad-vertly), what strikes me about this approach is that you picked a moat that big companies are actually worse at. A funded startup with investors asking for growth dashboards will always be tempted to mine user data. You can credibly commit to never doing that.

The messaging challenge is going to be helping people understand what zero-knowledge means without making them feel like they need a CS degree. "We can't read your habits, even if we wanted to" is a line that does a lot of work there.

Rooting for you on this one. Privacy as a first principle is a rare and defensible position.

Β Really appreciate this, Gaurav β€” I actually use almost that exact line on the site: "We can't read your data, even if we wanted to." Glad to hear it lands. Finding that balance between "this is serious cryptography" and "you don't need to care about any of that, it just works" is an ongoing process. To me, it just matters that people have another service out there they can trust.

Best of luck with ad-vertly, it looks really fascinating β€” solo founder life is a journey. Rooting for you too.

The zero-knowledge approach here is genuinely rare. Most habit trackers treat privacy as a legal checkbox; you’re making it a core architectural constraint. That’s the kind of commitment that actually earns trust.

What’s interesting is the contrast with AI-assisted productivity tools. At Hello Aria, our AI assistant that works over WhatsApp/Telegram, users share a lot of context with the AI to make it useful β€” which creates the opposite tension. We’ve had long internal conversations about what gets stored, what stays ephemeral, and how to be transparent about it.

Your approach of never touching the data server-side forces a different (and more disciplined) design. Curious how you handle streak recovery if someone loses local access? Any encryption key backup mechanism?

Β Thanks β€” that's a really thoughtful observation about the tension between AI usefulness and privacy, and I ran into that when designing privacy-first AI features. You're right that they pull in opposite directions: AI needs context to be helpful, but context means data exposure. The fact that you're having those internal conversations about what stays ephemeral vs. what gets stored is exactly the right instinct. Most teams don't even ask the question. I’d also look into Confer and Proton Mail’s Lumo if you haven’t already.

To answer your question: your encryption keys aren't at risk from losing local access. Your private keys are stored on our server β€” encrypted with a session key that's derived from your password via Argon2id. The session key lives temporarily in your browser, but if your device dies or your session is wiped, you just log in again. Your password re-derives the session key, which unlocks your private keys from the server. Nothing critical is local-only but it is only able to be decrypted locally by you.

On top of that, we have a recovery key system for the "forgot my password" scenario. You can generate a human-readable recovery code in Settings that acts as a backup decryption path β€” it lets you re-derive your private keys and set a new password. The recovery key is shown once, never stored by us (only an Argon2 hash for verification), and consumed on use.

Without your password or recovery key, your data is permanently unrecoverable β€” by design. It's a real tradeoff: we give up "forgot password" email resets in exchange for genuine zero-knowledge. For us that's worth it, but it means we have to be clear with users about setting up their recovery key early.

Hey, Product Hunt. Mark here, solo dev behind Metamorphic. Just wanted to say thank you to everyone checking it out on launch day. I was inspired to build this by my partner's focus on little daily life hacks to improve and grow as a better person.

It also felt like a perfect choice for privacy. If you've ever felt weird about a habit tracker knowing everything about your daily life, that's exactly why I built Metamorphic to be zero-knowledge from the start. Your data is encrypted before it leaves your browser. I literally can't see it (or anyone else). Try the free tier, no credit card needed, and let me know what you think. Happy to answer any questions in the thread.

Metamorphic is now post-quantum resistant

Your habits, goals, reflections, and personal data are now protected against both today's threats and tomorrow's quantum computers.

We've upgraded Metamorphic's encryption architecture to use a hybrid post-quantum KEM β€” combining classical X25519 with ML-KEM-768 (NIST FIPS 203), the same approach used by Signal, Apple iMessage, and Chrome. Both algorithms must be broken simultaneously to compromise your data. If either one holds, your keys stay safe.

What changed

  • Hybrid key distribution β€” Every key seal operation now uses ML-KEM-768 + X25519, providingresistance to both classical and quantum attacks

  • Automatic migration β€” Existing users get post-quantum protection on their next login. Your browsergenerates new hybrid keys and re-seals all your existing data in the background. No action required.

  • Version-tagged ciphertext β€” We introduced a v1/v2 format so legacy-encrypted data continues to workseamlessly while all keys are progressively upgraded to quantum-resistant wrapping

  • SHA3-256 key combiner β€” The two shared secrets are combined with full transcript binding (ciphertextsand public keys included), following the IETF hybrid KEM draft for proper domain separation

What didn't change

  • Zero-knowledge guarantee β€” We still can't read your data. Everything is still encrypted and decryptedin your browser.

  • Three layers of encryption at rest β€” Client-side E2E (XSalsa20-Poly1305), application-layer (AES-256-GCM), and infrastructure disk encryption (LUKS) all remain in place.

  • No price change β€” Post-quantum encryption is included on every plan, including free. Privacy is not apaid upgrade.

Why this matters for a habit tracker

Your habit data might seem low-stakes, but it reveals your daily routines, health practices, mental health patterns, personal goals, and the structure of your life. Adversaries with a "harvest now, decrypt later" strategy could capture encrypted data today and wait for quantum computers to break classical encryption years from now.

We'd rather not give them the chance.

Technical details

We use libsodium (via libsodium-wrappers-sumo) for classical cryptography and /post-quantum (from the noble cryptography suite, whose core libraries have been audited by Cure53) for ML-KEM-768. No custom or proprietary cryptography.

Full details are on our updatedΒ Β page.

12
Next
Last