DEV Community: Mark Thayer

The Science Behind Your Habits (And Why Most Trackers Ignore It)

Mark Thayer — Wed, 06 May 2026 13:10:31 +0000

Most habit trackers are built on vibes. Streaks. Green checkmarks. A dopamine hit when the number goes up. A guilt trip when it resets to zero.

It works — for about two weeks. Then you miss a day, the streak breaks, and the app that was supposed to help you change quietly becomes the thing you avoid opening.

We built Metamorphic differently. Not because we think streaks are bad, but because the behavioral science says there's a lot more going on — and almost none of it shows up in the apps people actually use.

Here's what the research says. And here's what we did about it.

Missed days don't destroy habits

This is the big one. The popular belief is that habits are fragile — miss a day and you're back to square one. The research says otherwise.

Lally et al. (2010) ran a study tracking how habits actually form in real life. The average time to automaticity was 66 days, not the 21-day myth that won't die. More importantly: missing a single day had no measurable effect on habit formation. The curve barely blinked.

Most habit trackers punish you for missing a day. Your streak resets. Your progress visualization drops. The implicit message is: you failed.

Metamorphic has streak forgiveness. A single missed day doesn't break your streak. Skip days are first-class — you set them when you create the habit, and they're respected, not penalized. Because the science says flexibility predicts long-term success better than rigidity does.

The strongest behavior change technique isn't tracking

If you had to pick one intervention — one single thing that moves the needle on whether someone follows through — it's implementation intentions. "When X happens, I will do Y."

Gollwitzer (1999) found an effect size of d=0.65. That's large. Larger than goal setting alone. Larger than motivation. Larger than tracking.

The reason is simple: decisions are expensive. Every time you have to decide when and where and how to do a habit, you're spending willpower. Implementation intentions pre-load the decision. You've already decided. The cue fires, the behavior follows.

Metamorphic has a first-class "When → Then" field on every goal. Not buried in a settings menu. Not a tooltip. It's right there when you create the goal, with a timed reminder attached. Because the most effective technique in behavior change deserves more than an afterthought.

We also built contextual cue prompts directly onto habits — an "After I…" field that links your habit to the thing you already do before it. After morning coffee → Meditate. After I sit down at my desk → Review my goals. Wood & Neal (2007) showed that contextual cues — preceding activities, locations — are stronger triggers than time-based reminders alone. Your life already has a rhythm. We want to hook into it, not override it.

Habits and goals are not the same thing

This sounds obvious. Most apps ignore it anyway.

A habit is something you do repeatedly. A goal is something you're working toward. The connection between them — how daily actions compound into outcomes — is where behavior change actually happens. And it's where most people get stuck.

Locke & Latham (2002) spent decades studying goal-setting. Their central finding: specific, challenging goals with clear feedback mechanisms outperform vague intentions by a wide margin. But the mechanism matters. You need the bridge between "I want to run a marathon" and "I ran 3 miles today."

Metamorphic lets you link habits directly to goals. Not as a tag. Not as a folder. As an explicit connection: this habit serves this goal. You can see how your daily actions feed into your larger aims. That bridge — from action to outcome — is the hardest thing to build into a product because it requires the system to understand that a check-in today is part of a trajectory that spans months.

Emotions aren't decoration

Most habit trackers either ignore mood entirely or give you a 3-point smiley face scale. Happy, neutral, sad. Done.

Barrett et al. (2001) found that emotion differentiation — the ability to make fine-grained distinctions between emotional states — is directly linked to better emotion regulation. People who can distinguish between "frustrated" and "anxious" and "overwhelmed" handle those states more effectively than people who lump them all into "bad."

Metamorphic has a 9-point mood scale and 46 distinct emotions. Not because complexity is a virtue, but because granularity is a skill. The act of choosing between "restless" and "anxious" is itself a form of self-awareness. The tracker becomes a mirror, not just a ledger.

Reflection without action is just venting

Pennebaker (1997) showed that expressive writing — writing about your emotional experiences — has measurable psychological and even physical health benefits. Journaling works. This is well-established.

What's less discussed is the gap between reflection and behavior change. You can journal every day and never change a thing. The insight stays on the page.

Kolb's Experiential Learning Cycle describes the loop: experience → reflection → conceptualization → action → experience. Most apps give you the reflection step and stop there.

Metamorphic has habits, goals, reflections, journal entries, and a daily schedule — and they're connected. A reflection can surface a pattern. A pattern can become a goal. A goal can spawn a habit. A habit gets a cue, a reminder, a link back to the goal it serves. The system is designed to close the loop, not just document it.

We're building this further. After you write a reflection, we'll gently ask: Want to carry something forward? You can create a habit, set an intention on a goal, or add something to tomorrow's priorities. Or dismiss it with a tap. The prompt only appears when the reflection suggests deeper processing — certain mood states, longer entries. It's never forced. Because autonomy matters more than engagement.

Gamification should celebrate, not control

There's a fine line between motivation and manipulation. Variable ratio reinforcement — unpredictable positive feedback — is the most psychologically engaging reward schedule (Schultz, 1997). It's also the mechanism behind slot machines.

Metamorphic has 18 tiered achievements across 6 categories. We use gamification deliberately. Celebrations are earned, not manufactured. They acknowledge what you've done without creating anxiety about what you haven't.

The design principle we follow: whispered, not shouted. A subtle glow, not a modal. A brief animation, not a notification. Confetti for genuine milestones, silence for ordinary check-ins. The app should feel like a quiet ally, not a needy coach.

Privacy isn't a feature. It's the foundation.

Becoming a parent inspired me to create Mosslet, our privacy-first space online for social and journaling, where people could be safe from the surveillance economy.

The first version of Mosslet was actually called Metamorphic, but when Facebook rebranded to Meta, I felt we needed to change and my partner came up with Mosslet from our public benefit company's name Moss Piglet. Later, when Meta announced removing E2E encryption from Instagram DMs, I was inspired to implement zero-knowledge messaging in Mosslet. This would become the inspiration for our zero-knowledge, quantum resistant, architecture on Metamorphic today.

With a privacy-first architecture in hand and the Metamorphic brand on the shelf, I was in need of a new idea. And that was when inspiration found me.

My partner is passionate about psychology, particularly behavioral science, and self-improvement. Observing her, I was struck with a thought: a habit tracker built around behavioral science could be helpful for people, even people like me who traditionally forgo any kind of habit tracking and forming. And a habit tracker is something that should be private.

And that was how Metamorphic transformed itself into a privacy-first app to help us transform ourselves.

Every mechanism I've described — mood tracking, emotion differentiation, honest reflection, habit-goal linking, streak forgiveness — depends on one thing: honesty. The data is only useful if it's true. And the data is only true if you feel safe entering it.

Your habits reveal what you're trying to change about yourself. Your mood logs reveal your emotional patterns. Your reflections reveal your inner life. Your goals reveal your vulnerabilities. This is some of the most intimate data a person can generate.

Most habit trackers can read all of it. The company, its employees, its partners, its acquirers, and — depending on jurisdiction — law enforcement. Your behavioral data sits on their servers, readable, queryable, sellable.

Metamorphic uses zero-knowledge encryption. Your data is encrypted on your device before it ever reaches our servers. We can't read it. Not because we promise not to — because we're technically unable to. The architecture doesn't allow it.

We also use post-quantum encryption — designed to resist not just today's threats but the quantum computing attacks that researchers expect within the next decade. Your habits from 2026 should still be private in 2036.

This isn't a premium feature. It's not an add-on. It's how the entire system works, free tier included. Because the behavioral science is clear: self-tracking only works when it's honest, and honesty requires safety.

We built what the research said to build

We didn't want Metamorphic to be another app where marketing picked the features and science got a footnote. We wanted it to actually work — to do what the literature says matters, not what looks good in a screenshot.

Habit strength indicators. Lally's research shows habit formation follows a curve — rapid gains early, plateau around 66 days. Every habit shows a strength percentage on your dashboard. Not just "14-day streak" but "78% formed." Realistic expectations based on actual science instead of arbitrary streak counts.

Contextual reflection prompts. Reflection prompts respond to your current state — a different prompt after a streak break than after a milestone, a different tone after a tough mood than after a good one. All of this runs on metadata alone — dates, counts, scores — never on your encrypted content.

WOOP-based goal setting. Oettingen & Gollwitzer (2010) developed Mental Contrasting with Implementation Intentions — wish, outcome, obstacle, plan. It outperforms positive visualization alone by 2-3x for goal completion. Goals include obstacle identification and confidence calibration, so you're thinking about what might get in the way before it does.

Contextual cue prompts. Every habit has an "After I…" field that links it to the thing you already do before it. After morning coffee → Meditate. Your cue shows right on the habit card and in your reminders — anchoring new behaviors to your existing routine.

The bottom line

Behavior change is hard. The research says it's also predictable — not perfectly, but enough to build better tools. Most apps don't bother. They give you a checkbox and a streak counter and call it done.

We think you deserve more than that. And we think you deserve it without giving up the most personal data you have.

Metamorphic is free to start. Your data is encrypted before it leaves your device. And the science is built into the product, not bolted onto the marketing.

Create your free account →

References

Barrett, L. F., Gross, J., Christensen, T. C., & Benvenuto, M. (2001). Knowing what you're feeling and knowing what to do about it. Cognition & Emotion, 15(6), 713–724.

Fogg, B. J. (2009). A behavior model for persuasive design. Proceedings of the 4th International Conference on Persuasive Technology.

Gollwitzer, P. M. (1999). Implementation intentions: Strong effects of simple plans. American Psychologist, 54(7), 493–503.

Lally, P., van Jaarsveld, C. H. M., Potts, H. W. W., & Wardle, J. (2010). How are habits formed: Modelling habit formation in the real world. European Journal of Social Psychology, 40(6), 998–1009.

Locke, E. A., & Latham, G. P. (2002). Building a practically useful theory of goal setting and task motivation. American Psychologist, 57(9), 705–717.

Oettingen, G., & Gollwitzer, P. M. (2010). Strategies of setting and implementing goals. In Social psychological foundations of clinical psychology (pp. 114–135).

Pennebaker, J. W. (1997). Writing about emotional experiences as a therapeutic process. Psychological Science, 8(3), 162–166.

Schultz, W. (1997). Dopamine neurons and their role in reward mechanisms. Current Opinion in Neurobiology, 7(2), 191–197.

Wood, W., & Neal, D. T. (2007). A new look at habits and the habit-goal interface. Psychological Review, 114(4), 843–863.

Your Habit Tracker Knows More About You Than Your Therapist. Mine Can’t Read Any of It.

Mark Thayer — Fri, 17 Apr 2026 16:10:58 +0000

I built a habit tracker where the server has no idea what you’re tracking.

Every habit app I looked at stores your data in plaintext on their servers. Your daily check-ins, your goals, your mood journal, your streaks — sitting in a database, readable by anyone with access. That felt wrong to me.

So I built Metamorphic: a habit and self-improvement tracker where all your data is encrypted in your browser before it ever reaches the server. The server only stores opaque blobs of ciphertext. Not even your email address is stored in plaintext.

Why encrypt a habit tracker?

Think about what a habit tracker actually contains. It’s not just “drink more water” and a checkbox. Over time, it becomes a detailed map of what you’re trying to change about yourself — your struggles, your patterns, the things you fail at repeatedly. That’s more intimate than most of what you’d share on social media.

The idea came from watching my partner, who has a background in psychology and behavior science. She’s always thinking about how to break old habits and build better ones. It clicked: if your habits, goals, and self-reflections are this personal, they should be private to only you. And you shouldn’t have to worry about whether they are.

The backstory

I run Moss Piglet, a bootstrapped public benefit company. Our other product, MOSSLET, is a privacy-first social platform built with Elixir. When I was becoming a new dad, I’d just finished reading The Age of Surveillance Capitalism by Shoshana Zuboff — and I wanted a better digital world for my daughter. When Meta rolled back end-to-end encryption on its messaging, I was pushed to implement real E2EE in MOSSLET.

Metamorphic takes that work further. Instead of encrypting just messages, the entire application is zero-knowledge. The server can’t read your habits, your goals, your reflections, your schedule, your group data — none of it. If our database were fully breached tomorrow, an attacker would get nothing useful.

What Metamorphic actually does

It’s a complete self-improvement platform, not just a checkbox app:

Habit tracking — Daily and weekly check-ins, streaks, drag-and-drop reordering, categories
Self-reflections — A journal with mood tracking and daily prompts
Goal setting — Milestones, progress bars, and the ability to link goals to habits so check-ins automatically advance your progress
Schedule and calendar — Recurring events, a day planner, and printable views for people who like paper
Family and group accountability — Shared habits, shared goals, a group dashboard, and member spotlights
Progress insights — Activity heatmaps and completion stats
Data export — JSON and CSV, decrypted entirely in your browser. The server never sees the plaintext, even during export

One thing I feel strongly about: encryption is not a premium feature. Every tier — including the free one — gets full end-to-end encryption. Paid tiers unlock convenience features like unlimited habits, reminders, data export, and groups. But privacy is not something you should have to pay extra for.

How the privacy works (without the jargon)

When you create a habit, type a journal entry, or set a goal, your browser encrypts that data before sending it to the server. The server stores it, but has no way to read it. When you load the page later, the server sends the encrypted blobs back, and your browser decrypts them using keys that only exist on your device.

Your password is never stored or transmitted in a usable form. Instead, it’s used to derive a cryptographic key locally, and that derived key unlocks everything else. If you lose your password and haven’t set up a recovery key, your data is gone — by design. That’s the real trade-off of zero-knowledge, and it’s the correct one.

For the more technically inclined:

Client-side encryption uses libsodium (XSalsa20-Poly1305)
Key distribution uses a hybrid post-quantum scheme: ML-KEM-768 combined with X25519 — the same approach Signal and Apple iMessage have adopted to protect against future quantum computers
Three independent encryption layers at rest : client-side E2E, AES-256-GCM in Postgres, and LUKS disk encryption on the hosting infrastructure
Zero-knowledge email : no plaintext email column in the database. Only a one-way hash for lookups and an encrypted blob
A detailed architecture writeup is at metamorphic.app/encryption

The interesting tension

Metamorphic is built with Phoenix LiveView, a framework where the server renders the page. But in a zero-knowledge system, the server can’t render the content — it doesn’t know what it says. The result is a choreography: the server sends the page structure with placeholder skeletons, and JavaScript hooks decrypt and fill in the real content on arrival.

It works. The skeletons flash in briefly, then the real data appears. UX-wise, it’s not dramatically different from any app with a loading state. Architecturally, it’s a very different beast — 15+ JavaScript hooks managing the encrypt/decrypt lifecycle across habits, goals, reflections, events, groups, and export.

The real trade-offs

I won’t pretend zero-knowledge doesn’t have costs:

No server-side search. If you want to filter habits by name or search your reflections, that happens client-side after decryption. Fine at our current scale.
If you lose your password and your recovery key, your data is unrecoverable. This is a real UX concern. The recovery key flow mitigates it, but the fundamental constraint is by design.
Testing is harder. You can’t assert on decrypted content in server-side tests because decryption only happens in JavaScript. Tests verify DOM structure and that encrypted fields are stored correctly — the decrypt-and-display pipeline is the gap.

These are trade-offs I’m willing to make. Your habit data being unreadable to everyone except you — including me — is worth it.

Try it

I’m not very good at habit tracking myself, which is partly why I built this. I’ve been using Metamorphic to get back into yoga, meditation, and running. So far, so good.

Check it out at metamorphic.app.

I Built a Zero-Knowledge Encrypted Habit Tracker with Elixir & Phoenix LiveView

Mark Thayer — Thu, 16 Apr 2026 23:16:47 +0000

I'm the solo dev at Moss Piglet, a bootstrapped public benefit company. I've been building Metamorphic — a habit and self-improvement tracker where all personal data is encrypted client-side before it ever reaches the server. The server only stores opaque cipher-text blobs.

Why encrypt a habit tracker?

I was inspired by my partner's background in psych and behavior science. It clicked that something as personal as your habits, goals, and self-reflections — basically a map of what you're trying to change about yourself — should be private to only you, and you shouldn't have to worry about it being otherwise.
Every other habit tracker I looked at stores your data in plaintext. Metamorphic doesn’t.

What it does

Habit tracking — daily/weekly check-ins, streaks, drag-and-drop reordering
Self-reflections — mood tracking and daily prompts
Goal setting — milestones, progress bars, habit linking
Schedule/calendar — recurring events, day planner, printable views
Family/group accountability — shared habits, shared goals, group dashboard
Progress insights — activity heatmaps, completion stats
Data export (JSON/CSV) — decrypted entirely client-side, server never sees plaintext

Encryption is not a premium feature. Every tier gets full E2E encryption. Paid tiers gate convenience (unlimited habits, reminders, export, groups), not privacy.

How the crypto works

Client-side encryption via libsodium-wrappers-sumo — XSalsa20-Poly1305 for data, NaCl box/seal for key distribution
Hybrid post-quantum key encapsulation (ML-KEM-768 + X25519 via @noble/post-quantum) — the same approach as Signal and Apple iMessage
Three independent encryption layers at rest: client-side E2E, Cloak AES-256-GCM in Postgres, and LUKS disk encryption on Fly.io
Zero-knowledge email: no plaintext email column in the database — only an HMAC blind index for lookups and an E2E-encrypted blob
Password never touches sessionStorage — only the Argon2id-derived session key
Persistent key cache using Web Crypto API (non-extractable AES-256-GCM wrapping key in IndexedDB) so browser restarts don't require re-entering your password
Recovery key flow for password reset without server access to private keys

More detail on the architecture: metamorphic.app/encryption

The interesting tradeoff: LiveView + zero-knowledge

This is the part I think other Elixir/Phoenix devs will find most relevant.

LiveView is server-rendered by design. Zero-knowledge encryption means the server can't see the content it's rendering. These are fundamentally in tension.

The result: brief placeholder skeletons that JS hooks fill in after client-side decryption, and a lot of push_event/handleEvent choreography (15+ hooks). It's not too different UX-wise from a trust-the-server model — the skeletons flash in briefly — but architecturally it's a very different beast.

Other tradeoffs:

No server-side search on encrypted fields. Filtering by habit name or reflection text happens client-side after decryption. Fine at current scale.

Testing is harder. You can't assert on decrypted content in LiveView tests since decryption is JS-only. Tests focus on DOM structure and data attributes. Context-level tests verify encrypted fields are stored and retrieved correctly — the decrypt-and-display pipeline is the gap.

If you lose your password and haven't set up a recovery key, your data is gone. By design. Real UX tradeoff, but correct for zero-knowledge.

Stack

Elixir/Phoenix LiveView — full-stack web app
Ecto + Postgres (Fly.io Managed Postgres)
libsodium-wrappers-sumo + @noble/post-quantum — client-side crypto
Cloak/cloak_ecto — application-level at-rest encryption
Oban — background jobs (reminders)
Tailwind CSS v4 + daisyUI — UI/theming
Sortable.js — drag-and-drop
JSZip — export packaging
Tidewave — AI-assisted development (runtime introspection, live SQL/eval, a11y diagnostics)

A lot was shared from my work on MOSSLET, a privacy-first social platform with private journal and Bluesky interop, also built with Elixir.

Try it

I'm not very good at habit tracking myself, so I've been using Metamorphic to get back into yoga, meditation, and running. So far so good.

Check it out at metamorphic.app. Happy to answer questions about the architecture, the zero-knowledge approach, bootstrapping a public benefit company, or anything Elixir-related.