Forem: Mark Thayer

Your Habit Tracker Knows More About You Than Your Therapist. Mine Can’t Read Any of It.

Mark Thayer — Fri, 17 Apr 2026 16:10:58 +0000

I built a habit tracker where the server has no idea what you’re tracking.

Every habit app I looked at stores your data in plaintext on their servers. Your daily check-ins, your goals, your mood journal, your streaks — sitting in a database, readable by anyone with access. That felt wrong to me.

So I built Metamorphic: a habit and self-improvement tracker where all your data is encrypted in your browser before it ever reaches the server. The server only stores opaque blobs of ciphertext. Not even your email address is stored in plaintext.

Why encrypt a habit tracker?

Think about what a habit tracker actually contains. It’s not just “drink more water” and a checkbox. Over time, it becomes a detailed map of what you’re trying to change about yourself — your struggles, your patterns, the things you fail at repeatedly. That’s more intimate than most of what you’d share on social media.

The idea came from watching my partner, who has a background in psychology and behavior science. She’s always thinking about how to break old habits and build better ones. It clicked: if your habits, goals, and self-reflections are this personal, they should be private to only you. And you shouldn’t have to worry about whether they are.

The backstory

I run Moss Piglet, a bootstrapped public benefit company. Our other product, MOSSLET, is a privacy-first social platform built with Elixir. When I was becoming a new dad, I’d just finished reading The Age of Surveillance Capitalism by Shoshana Zuboff — and I wanted a better digital world for my daughter. When Meta rolled back end-to-end encryption on its messaging, I was pushed to implement real E2EE in MOSSLET.

Metamorphic takes that work further. Instead of encrypting just messages, the entire application is zero-knowledge. The server can’t read your habits, your goals, your reflections, your schedule, your group data — none of it. If our database were fully breached tomorrow, an attacker would get nothing useful.

What Metamorphic actually does

It’s a complete self-improvement platform, not just a checkbox app:

Habit tracking — Daily and weekly check-ins, streaks, drag-and-drop reordering, categories
Self-reflections — A journal with mood tracking and daily prompts
Goal setting — Milestones, progress bars, and the ability to link goals to habits so check-ins automatically advance your progress
Schedule and calendar — Recurring events, a day planner, and printable views for people who like paper
Family and group accountability — Shared habits, shared goals, a group dashboard, and member spotlights
Progress insights — Activity heatmaps and completion stats
Data export — JSON and CSV, decrypted entirely in your browser. The server never sees the plaintext, even during export

One thing I feel strongly about: encryption is not a premium feature. Every tier — including the free one — gets full end-to-end encryption. Paid tiers unlock convenience features like unlimited habits, reminders, data export, and groups. But privacy is not something you should have to pay extra for.

How the privacy works (without the jargon)

When you create a habit, type a journal entry, or set a goal, your browser encrypts that data before sending it to the server. The server stores it, but has no way to read it. When you load the page later, the server sends the encrypted blobs back, and your browser decrypts them using keys that only exist on your device.

Your password is never stored or transmitted in a usable form. Instead, it’s used to derive a cryptographic key locally, and that derived key unlocks everything else. If you lose your password and haven’t set up a recovery key, your data is gone — by design. That’s the real trade-off of zero-knowledge, and it’s the correct one.

For the more technically inclined:

Client-side encryption uses libsodium (XSalsa20-Poly1305)
Key distribution uses a hybrid post-quantum scheme: ML-KEM-768 combined with X25519 — the same approach Signal and Apple iMessage have adopted to protect against future quantum computers
Three independent encryption layers at rest : client-side E2E, AES-256-GCM in Postgres, and LUKS disk encryption on the hosting infrastructure
Zero-knowledge email : no plaintext email column in the database. Only a one-way hash for lookups and an encrypted blob
A detailed architecture writeup is at metamorphic.app/encryption

The interesting tension

Metamorphic is built with Phoenix LiveView, a framework where the server renders the page. But in a zero-knowledge system, the server can’t render the content — it doesn’t know what it says. The result is a choreography: the server sends the page structure with placeholder skeletons, and JavaScript hooks decrypt and fill in the real content on arrival.

It works. The skeletons flash in briefly, then the real data appears. UX-wise, it’s not dramatically different from any app with a loading state. Architecturally, it’s a very different beast — 15+ JavaScript hooks managing the encrypt/decrypt lifecycle across habits, goals, reflections, events, groups, and export.

The real trade-offs

I won’t pretend zero-knowledge doesn’t have costs:

No server-side search. If you want to filter habits by name or search your reflections, that happens client-side after decryption. Fine at our current scale.
If you lose your password and your recovery key, your data is unrecoverable. This is a real UX concern. The recovery key flow mitigates it, but the fundamental constraint is by design.
Testing is harder. You can’t assert on decrypted content in server-side tests because decryption only happens in JavaScript. Tests verify DOM structure and that encrypted fields are stored correctly — the decrypt-and-display pipeline is the gap.

These are trade-offs I’m willing to make. Your habit data being unreadable to everyone except you — including me — is worth it.

Try it

I’m not very good at habit tracking myself, which is partly why I built this. I’ve been using Metamorphic to get back into yoga, meditation, and running. So far, so good.

Check it out at metamorphic.app.

I Built a Zero-Knowledge Encrypted Habit Tracker with Elixir & Phoenix LiveView

Mark Thayer — Thu, 16 Apr 2026 23:16:47 +0000

I'm the solo dev at Moss Piglet, a bootstrapped public benefit company. I've been building Metamorphic — a habit and self-improvement tracker where all personal data is encrypted client-side before it ever reaches the server. The server only stores opaque cipher-text blobs.

Why encrypt a habit tracker?

I was inspired by my partner's background in psych and behavior science. It clicked that something as personal as your habits, goals, and self-reflections — basically a map of what you're trying to change about yourself — should be private to only you, and you shouldn't have to worry about it being otherwise.
Every other habit tracker I looked at stores your data in plaintext. Metamorphic doesn’t.

What it does

Habit tracking — daily/weekly check-ins, streaks, drag-and-drop reordering
Self-reflections — mood tracking and daily prompts
Goal setting — milestones, progress bars, habit linking
Schedule/calendar — recurring events, day planner, printable views
Family/group accountability — shared habits, shared goals, group dashboard
Progress insights — activity heatmaps, completion stats
Data export (JSON/CSV) — decrypted entirely client-side, server never sees plaintext

Encryption is not a premium feature. Every tier gets full E2E encryption. Paid tiers gate convenience (unlimited habits, reminders, export, groups), not privacy.

How the crypto works

Client-side encryption via libsodium-wrappers-sumo — XSalsa20-Poly1305 for data, NaCl box/seal for key distribution
Hybrid post-quantum key encapsulation (ML-KEM-768 + X25519 via @noble/post-quantum) — the same approach as Signal and Apple iMessage
Three independent encryption layers at rest: client-side E2E, Cloak AES-256-GCM in Postgres, and LUKS disk encryption on Fly.io
Zero-knowledge email: no plaintext email column in the database — only an HMAC blind index for lookups and an E2E-encrypted blob
Password never touches sessionStorage — only the Argon2id-derived session key
Persistent key cache using Web Crypto API (non-extractable AES-256-GCM wrapping key in IndexedDB) so browser restarts don't require re-entering your password
Recovery key flow for password reset without server access to private keys

More detail on the architecture: metamorphic.app/encryption

The interesting tradeoff: LiveView + zero-knowledge

This is the part I think other Elixir/Phoenix devs will find most relevant.

LiveView is server-rendered by design. Zero-knowledge encryption means the server can't see the content it's rendering. These are fundamentally in tension.

The result: brief placeholder skeletons that JS hooks fill in after client-side decryption, and a lot of push_event/handleEvent choreography (15+ hooks). It's not too different UX-wise from a trust-the-server model — the skeletons flash in briefly — but architecturally it's a very different beast.

Other tradeoffs:

No server-side search on encrypted fields. Filtering by habit name or reflection text happens client-side after decryption. Fine at current scale.

Testing is harder. You can't assert on decrypted content in LiveView tests since decryption is JS-only. Tests focus on DOM structure and data attributes. Context-level tests verify encrypted fields are stored and retrieved correctly — the decrypt-and-display pipeline is the gap.

If you lose your password and haven't set up a recovery key, your data is gone. By design. Real UX tradeoff, but correct for zero-knowledge.

Stack

Elixir/Phoenix LiveView — full-stack web app
Ecto + Postgres (Fly.io Managed Postgres)
libsodium-wrappers-sumo + @noble/post-quantum — client-side crypto
Cloak/cloak_ecto — application-level at-rest encryption
Oban — background jobs (reminders)
Tailwind CSS v4 + daisyUI — UI/theming
Sortable.js — drag-and-drop
JSZip — export packaging
Tidewave — AI-assisted development (runtime introspection, live SQL/eval, a11y diagnostics)

A lot was shared from my work on MOSSLET, a privacy-first social platform with private journal and Bluesky interop, also built with Elixir.

Try it

I'm not very good at habit tracking myself, so I've been using Metamorphic to get back into yoga, meditation, and running. So far so good.

Check it out at metamorphic.app. Happy to answer questions about the architecture, the zero-knowledge approach, bootstrapping a public benefit company, or anything Elixir-related.