all systems operational
heldqr
sign in create a code
01 / DOCUMENT
[ continuity plan · v1.0 · 2026-04-22 ]

If we shut down,
here's the runbook.

Every QR service sells "lifetime." Almost none of them define what happens if the company goes away. We do. Twelve months' notice. Source code published at month six. Data dump published at month nine. Final shutdown at month twelve, with the domain in escrow so a third party can keep the redirects running from the open-source release.

This page is the public version of that commitment. The engineering spec that backs it lives at docs/03-continuity-plan.md in our repo — updated in lockstep with this page. If they ever disagree, the repo wins.

02 / PROMISE

The commitment, in plain terms.

If Heldqr stops operating as a going concern — for any reason: shutdown, insolvency, acquisition that changes the terms, founder inability to continue — the following happen, in order. This is the contract. Everything in §3 onward is the engineering that makes each of these steps executable without heroics.

month 0 Twelve months' notice by email and by a banner on every dashboard page. New signups stop the same day.
months 1–5 Service runs normally. Redirects honored. Annual renewals stop; monthly subscribers get an opt-out.
month 6 Resolver source published to a public GitHub repository under MIT or Apache 2.0.
months 7–8 Transition negotiations. Any credible third-party operator who wants to take over hosting gets serious evaluation.
month 9 Anonymized data dump published — shortcode, target_url, created_at. Mirrored to GitHub Releases, IPFS, Archive.org, and BitTorrent.
months 10–11 Wind down. Resolver migrates to a cheaper static-serve mode if cost-to-operate becomes a concern.
month 12 Hosted service ends. Domain handover to a pre-arranged escrow so a successor can pick up the redirects.
03 / PUBLISHED

What gets published, and what doesn't.

A day-one commitment that later becomes code and data at month six and nine. The placeholder repo exists today so anyone can verify we've planned for this before we needed to.

The resolver — and only the resolver. A deliberately small surface: router, controller, the Ecto schema for codes, a read-through ETS cache, runtime config, and a Dockerfile that brings the whole thing up in one command against the published data dump.

source code router, ResolverController, codes schema, ETS cache, runtime.exs, Dockerfile. MIT or Apache 2.0.
data dump shortcode, target_url, created_at. CSV + JSON-lines with matching SHA-256.
never published customer emails, IP addresses, scan events, billing data, labels. We do not collect what we would be nervous to publish.
redundancy GitHub, IPFS (≥2 pins), Archive.org, BitTorrent. Any one going away is fine.
04 / PRIVACY

Privacy is load-bearing, not decorative.

The continuity plan constrains what we can collect in the first place. We can't publish a database dump that contains customer emails, IP addresses, or detailed scan logs — so we design the product so those things either don't exist or are trivially separable from the redirect mapping.

This is not GDPR hygiene as a checkbox. It's the engineering constraint that makes the month-nine data dump executable without a lawyer review.

IP addresses never stored. Geolocation happens in-process at scan time; only the country code lands in the database.
cookies on the resolver none. Scan analytics are cookieless — coarse signals only.
customer PII lives in different tables than redirect data. The export query touches only codes.
labels included in the customer's own export (their data). Stripped from the public dump.
05 / LIMITS

What this does not promise.

Honest commitments require honest limits. Overpromising on continuity would defeat the purpose. These limits are in the TOS, stated plainly, so customers know exactly what they're buying.

not promised indefinite hosted service. We promise twelve months of notice, not perpetual hosting.
not promised takeover by any specific successor. We promise to publish the code and data. We cannot guarantee anyone picks it up.
not promised data retention beyond the wind-down. After month twelve the customer database is deleted. Only the anonymized redirect dump persists publicly.
not promised refunds on subscription billing cycles. A Pro or Business subscription cancelled during the wind-down stops billing at the next cycle; we do not refund the partial month you cancelled in. The notice period itself runs whether you keep paying or not.
06 / SIGNED
>

A continuity plan that nobody tests is a work of fiction.
These quarterly reviews are what distinguish this from marketing.

— Heldqr · 2026-04-22