Zero-knowledge habit tracking. Your growth belongs to you.
Hi Product Hunt! π
I'm Mark, solo dev and co-founder of Moss Piglet β a privacy-first public benefit company.
Habit tracking is personal. Your goals, your struggles, your progress β that's some of the most intimate data you can generate about yourself. So why does every habit tracker out there store it in plaintext on their servers?
Metamorphic is a zero-knowledge encrypted habit tracker. Your data is encrypted in your browser before it ever leaves your device. The server never sees your habits, your goals, or your progress. Not even we can read it.
How it works:
Password-derived public-key cryptography runs entirely in the browser
End-to-end encryption by default on every plan β not a premium add-on
The server stores only encrypted blobs it can never decrypt
What you get:
Habits & streaks β build consistency and track your check-ins
Reflections β journal on your progress privately
Goals & milestones β set targets and track meaningful progress
Schedule / calendar β plan your habits around your life
Progress insights β see how you're actually doing over time
Family groups β up to 6 people with shared habits, shared goals, and a group dashboard
Data export β your data, your way out. Always.
Every plan gets E2E encryption. The free tier gives you 5 habits with 7 days of history and full streak tracking β no credit card, no catch. Paid plans unlock unlimited habits, full history, reflections, goals, insights, and family features.
Why I built this:
I believe privacy is foundational to how we grow as people. You can't reflect honestly or push yourself if you know someone's watching. Metamorphic is built to give you that space.
It's built with Elixir and Phoenix LiveView, bootstrapped with zero investors, and run as a public benefit company β so the incentive is always the product, never your data.
I also built MOSSLET, a privacy-first social network with E2EE messaging and Bluesky interop, using the same encryption architecture that inspired Metamorphic.
Launch offer: Use code PH20SAVE for 20% off 6 months (good until April 30, 2026 at 11:59pm).
Would love to hear what you think β happy to answer any questions about the zero-knowledge architecture or anything else. π
Replies
What happens if a user forgets their password completely?
Metamorphic
@isaac_dominic1Great question β this is the tradeoff that comes with real zero-knowledge encryption. If you forget your password completely and haven't set up a recovery code, your encrypted data is unrecoverable. We can't decrypt it for you because we never had the ability to.
That said, we make it easy to protect yourself: during signup you can generate a recovery code in settings. If you ever forget your password, that recovery code lets you reset it and re-encrypt your data. We also encourage storing it somewhere safe like a password manager.
It's a similar model to Proton Mail β real privacy means only you hold the keys. π
Is there any performance hit from doing everything in browser?
Metamorphic
@daisy_morgan2Β No noticeable performance hit. The heavy crypto (key derivation) only happens once at login. After that, decrypting each item uses NaCl/libsodium compiled to WebAssembly β each decrypt takes under a millisecond. Loading a page with dozens of items adds maybe 10-20ms of total decrypt time. Any performance hit you might notice is minimal and will be more noticeable due to general internet latency.
Can users audit or verify the encryption implementation?
Metamorphic
@yara_simoneΒ Yes β the client-side encryption is verifiable right now in your browser.
But, thank you for this question, because we just released a page explaining how our encryption works and how people can verify: https://metamorphic.app/encryption
All encryption and decryption happens in JavaScript that ships to your browser. You can open DevTools, inspect the source, and see exactly what's happening. The crypto code uses libsodium-wrappers-sumo (a well-audited, widely-used NaCl implementation) β not custom cryptography. You can verify:
Network tab: No plaintext user data ever leaves the browser. You'll see only encrypted blobs in requests.
Source tab: The crypto modules (key generation, encryption, decryption) are all in the client-side JS bundle.
sessionStorage: Your derived keys live only in your browser session β the server never receives them.
We use standard, proven primitives: XSalsa20-Poly1305 for symmetric encryption, X25519 for key exchange, and Argon2id for key derivation. No homegrown crypto.
The codebase is private today, but we're considering publishing the crypto modules independently so anyone can audit the encryption layer without needing access to the full app source. A formal third-party security audit is also on our roadmap.
@f0rest8Β That's solid, giving users a way to verify it themselves builds real trust
What made you choose this architecture over simpler ones?
Metamorphic
@sienna_claireΒ Great question. It starts with my other app, Mosslet. I was becoming a new dad and had just finished reading The Age of Surveillance Capitalism by Shoshana Zuboff -- and I wanted a better world for my little one. At the time I went with a trust-the-server model for Mosslet (which is fine -- the code is open source and you can verify it). But when I read about Meta rolling back end-to-end encryption on its direct messaging, it pushed me to implement real E2EE in Mosslet's messaging, built on an asymmetric, password-derived key architecture.
As for Metamorphicβs features itself, I was inspired by my partner who is always thinking of ways to improve, figuring out how to break old habits and form better ones β sheβs passionate about psychology and behavior. And then it just made sense to me that something so personal as your habits/goals should be private to only you β and you shouldnβt have to worry about it being otherwise.
@f0rest8Β That's a strong reason, building it from values not just convenience
I personally like the idea of ownership over data, but I would still hesitate if onboarding feels even slightly fragile.
Metamorphic
@noah_bennett5Β Thanks Noah β that's a really valid concern. Onboarding is something we've put a lot of thought into precisely because of this tension. The encryption setup happens transparently during sign-up β you create an account with email and password like any other app, and all the key generation happens automatically in the background. There's no key management, no seed phrases, nothing extra to configure.
The one intentional friction point is the recovery key β we prompt you to save it after sign-up in case you ever forget your password, since we can't reset it for you (by design). But day-to-day usage feels like any other habit tracker.
Would love to know how it went for you.
The "your data never leaves your device" angle is genuinely differentiated, Mark. Most habit trackers treat privacy as a footnote in the settings page rather than the whole product thesis.
As a solo founder myself (building ad-vertly), what strikes me about this approach is that you picked a moat that big companies are actually worse at. A funded startup with investors asking for growth dashboards will always be tempted to mine user data. You can credibly commit to never doing that.
The messaging challenge is going to be helping people understand what zero-knowledge means without making them feel like they need a CS degree. "We can't read your habits, even if we wanted to" is a line that does a lot of work there.
Rooting for you on this one. Privacy as a first principle is a rare and defensible position.
Metamorphic
@gaurav_singh91Β Really appreciate this, Gaurav β I actually use almost that exact line on the site: "We can't read your data, even if we wanted to." Glad to hear it lands. Finding that balance between "this is serious cryptography" and "you don't need to care about any of that, it just works" is an ongoing process. To me, it just matters that people have another service out there they can trust.
Best of luck with ad-vertly, it looks really fascinating β solo founder life is a journey. Rooting for you too.
Hello Aria
The zero-knowledge approach here is genuinely rare. Most habit trackers treat privacy as a legal checkbox; youβre making it a core architectural constraint. Thatβs the kind of commitment that actually earns trust.
Whatβs interesting is the contrast with AI-assisted productivity tools. At Hello Aria, our AI assistant that works over WhatsApp/Telegram, users share a lot of context with the AI to make it useful β which creates the opposite tension. Weβve had long internal conversations about what gets stored, what stays ephemeral, and how to be transparent about it.
Your approach of never touching the data server-side forces a different (and more disciplined) design. Curious how you handle streak recovery if someone loses local access? Any encryption key backup mechanism?
Metamorphic
@sai_tharun_kakiralaΒ Thanks β that's a really thoughtful observation about the tension between AI usefulness and privacy, and I ran into that when designing Mossletβs privacy-first AI features. You're right that they pull in opposite directions: AI needs context to be helpful, but context means data exposure. The fact that you're having those internal conversations about what stays ephemeral vs. what gets stored is exactly the right instinct. Most teams don't even ask the question. Iβd also look into Confer and Proton Mailβs Lumo if you havenβt already.
To answer your question: your encryption keys aren't at risk from losing local access. Your private keys are stored on our server β encrypted with a session key that's derived from your password via Argon2id. The session key lives temporarily in your browser, but if your device dies or your session is wiped, you just log in again. Your password re-derives the session key, which unlocks your private keys from the server. Nothing critical is local-only but it is only able to be decrypted locally by you.
On top of that, we have a recovery key system for the "forgot my password" scenario. You can generate a human-readable recovery code in Settings that acts as a backup decryption path β it lets you re-derive your private keys and set a new password. The recovery key is shown once, never stored by us (only an Argon2 hash for verification), and consumed on use.
Without your password or recovery key, your data is permanently unrecoverable β by design. It's a real tradeoff: we give up "forgot password" email resets in exchange for genuine zero-knowledge. For us that's worth it, but it means we have to be clear with users about setting up their recovery key early.
Metamorphic
Hey, Product Hunt. Mark here, solo dev behind Metamorphic. Just wanted to say thank you to everyone checking it out on launch day. I was inspired to build this by my partner's focus on little daily life hacks to improve and grow as a better person.
It also felt like a perfect choice for privacy. If you've ever felt weird about a habit tracker knowing everything about your daily life, that's exactly why I built Metamorphic to be zero-knowledge from the start. Your data is encrypted before it leaves your browser. I literally can't see it (or anyone else). Try the free tier, no credit card needed, and let me know what you think. Happy to answer any questions in the thread.
Metamorphic
Metamorphic is now post-quantum resistant
Your habits, goals, reflections, and personal data are now protected against both today's threats and tomorrow's quantum computers.
We've upgraded Metamorphic's encryption architecture to use a hybrid post-quantum KEM β combining classical X25519 with ML-KEM-768 (NIST FIPS 203), the same approach used by Signal, Apple iMessage, and Chrome. Both algorithms must be broken simultaneously to compromise your data. If either one holds, your keys stay safe.
What changed
Hybrid key distribution β Every key seal operation now uses ML-KEM-768 + X25519, providingresistance to both classical and quantum attacks
Automatic migration β Existing users get post-quantum protection on their next login. Your browsergenerates new hybrid keys and re-seals all your existing data in the background. No action required.
Version-tagged ciphertext β We introduced a v1/v2 format so legacy-encrypted data continues to workseamlessly while all keys are progressively upgraded to quantum-resistant wrapping
SHA3-256 key combiner β The two shared secrets are combined with full transcript binding (ciphertextsand public keys included), following the IETF hybrid KEM draft for proper domain separation
What didn't change
Zero-knowledge guarantee β We still can't read your data. Everything is still encrypted and decryptedin your browser.
Three layers of encryption at rest β Client-side E2E (XSalsa20-Poly1305), application-layer (AES-256-GCM), and infrastructure disk encryption (LUKS) all remain in place.
No price change β Post-quantum encryption is included on every plan, including free. Privacy is not apaid upgrade.
Why this matters for a habit tracker
Your habit data might seem low-stakes, but it reveals your daily routines, health practices, mental health patterns, personal goals, and the structure of your life. Adversaries with a "harvest now, decrypt later" strategy could capture encrypted data today and wait for quantum computers to break classical encryption years from now.
We'd rather not give them the chance.
Technical details
We use libsodium (via libsodium-wrappers-sumo) for classical cryptography and @noble/post-quantum (from the noble cryptography suite, whose core libraries have been audited by Cure53) for ML-KEM-768. No custom or proprietary cryptography.
Full details are on our updatedΒ encryption architectureΒ page.
Metamorphic
Quick update β Metamorphic was just featured as the #1 pick in We Are Founders' "Best Habit Tracking Apps" roundup for 2026. We're the only zero-knowledge encrypted option on the list. Also recently added .ics calendar import/export and moved data export to the free tier. More coming soon.