all systems operational
01 / DOCUMENT
[ continuity plan · v1.0 · 2026-04-22 ]

If we shut down,
here's the runbook.

Every QR service sells "lifetime." Almost none of them define what happens if the company goes away. We do. Twelve months' notice. Source code published at month six. Per-account exports delivered at month nine; in the same window, codes flagged opt-in are published in a public dump so a third party can stand up the resolver at their own domain from the open-source release. Final shutdown at month twelve. heldqr.io itself is not handed off to a successor — codes that need to survive should use a custom domain so the printed QR points at a domain the customer owns.

This page is the public version of that commitment. The engineering spec that backs it lives at docs/03-continuity-plan.md in our repo — updated in lockstep with this page. If they ever disagree, the repo wins.


02 / PROMISE

The commitment, in plain terms.

If Heldqr stops operating as a going concern — for any reason: shutdown, insolvency, acquisition that changes the terms, founder inability to continue — the following happen, in order. This is the contract. Everything in §3 onward is the engineering that makes each of these steps executable without heroics.

month 0 Twelve months' notice by email and by a banner on every dashboard page. New signups stop the same day.
months 1–5 Service runs normally. Redirects honored. Annual renewals stop; monthly subscribers get an opt-out.
month 6 Resolver source published to a public GitHub repository under MIT or Apache 2.0.
months 7–8 Transition negotiations. Any credible third-party operator who wants to take over hosting gets serious evaluation.
month 9 Per-account exports delivered to every customer. In the same window, codes flagged opt-in are published in a public dump — shortcode, target_url, created_at — mirrored to GitHub Releases, IPFS, Archive.org, and BitTorrent.
months 10–11 Wind down. Resolver migrates to a cheaper static-serve mode if cost-to-operate becomes a concern.
month 12 Hosted service ends. heldqr.io itself is not handed off to a successor. Codes survive via the customer's own custom domain (configured in advance) or, for opt-in codes, via a third party who stands up the resolver at their own domain against the published source and dump.

03 / PUBLISHED

What gets published, and what doesn't.

A day-one commitment that later becomes code and data at month six and nine. The placeholder repo exists today so anyone can verify we've planned for this before we needed to.

The resolver — and only the resolver. A deliberately small surface: router, controller, the Ecto schema for codes, a read-through ETS cache, runtime config, and a Dockerfile that brings the whole thing up in one command against the published opt-in dump.

source code router, ResolverController, codes schema, ETS cache, runtime.exs, Dockerfile. MIT or Apache 2.0.
opt-in public dump Codes whose owner opted in at creation. shortcode, target_url, created_at. CSV + JSON-lines with matching SHA-256.
never published customer emails, IP addresses, scan events, billing data, labels — and target_urls of any code whose owner didn't opt in. Customer redirect destinations are private by default. We do not publish what an owner hasn't consented to publish.
redundancy GitHub, IPFS (≥2 pins), Archive.org, BitTorrent. Any one going away is fine.

04 / PRIVACY

Privacy is load-bearing, not decorative.

The continuity plan constrains what we can collect in the first place. We can't publish a database dump that contains customer emails, IP addresses, or detailed scan logs — so we design the product so those things either don't exist or are trivially separable from the redirect mapping. Target_urls are the customer's data: we collect them because the redirect needs them, but we never publish them without per-code consent.

This is not GDPR hygiene as a checkbox. It's the engineering constraint that makes the month-nine opt-in public dump and per-account exports executable without a lawyer review.

IP addresses never stored. Geolocation happens in-process at scan time; only the country code lands in the database.
cookies on the resolver none. Scan analytics are cookieless — coarse signals only.
account data emails, billing, login activity. Separate tables from the redirect mapping; the public-dump query touches only codes.
target_urls customer-owned data. Included in the customer's own per-account export. Stripped from the public dump unless the owner opted in at creation.
labels customer-internal metadata. Available via the dashboard; not part of either continuity export channel — the export shape is shortcode, target_url, created_at.

05 / LIMITS

What this does not promise.

Honest commitments require honest limits. Overpromising on continuity would defeat the purpose. These limits are in the TOS, stated plainly, so customers know exactly what they're buying.

not promised indefinite hosted service. We promise twelve months of notice, not perpetual hosting.
not promised takeover by any specific successor. We promise to publish the resolver source and the opt-in subset of codes. Per-account exports go to customers directly. We cannot guarantee anyone picks up the hosted service.
not promised domain handover. We do not commit to transferring the heldqr.io domain to a successor. If you need your codes to outlive Heldqr, configure a custom domain (Pro tier and up) so the QR points at your domain, not ours. Codes printed against the bare heldqr.io shortcode stop resolving at month twelve.
not promised data retention beyond the wind-down. After month twelve the customer database is deleted. Only the opt-in subset of redirects persists publicly.
not promised refunds on subscription billing cycles. A Pro or Business subscription cancelled during the wind-down stops billing at the next cycle; we do not refund the partial month you cancelled in. The notice period itself runs whether you keep paying or not.

06 / SIGNED
>

A continuity plan that nobody tests is a work of fiction.
These quarterly reviews are what distinguish this from marketing.

— Heldqr · 2026-04-22