Our pillar article commits in writing to publishing every rate and cap Heldqr enforces. This is that page. The numbers on the redirect path, the management API, and the anti-abuse shields are all below — including the ones we hope nobody ever trips.
A scan of your printed QR code is a request from your customer's phone. Throttling it is throttling your customer. We do not rate-limit the redirect path at heldqr.io/:shortcode — no per-IP ceiling, no per-shortcode slow-roll, nothing that would present a dead code to someone in front of your menu at 7pm on a Friday.
Abuse on the redirect path (scan-farming attacks, flood scripts) is handled out of band. See the 'Anti-abuse shields' section below.
Scans cost us compute and storage. Every tier includes a scan allowance. Going over the allowance is not a deactivation event — per the continuity plan, your code keeps resolving. What changes is the analytics tail and, on the commercial tiers, whether usage-based billing kicks in.
100 scans per month per code is your included allowance. Going over is not an abuse event — it's a signal that the free tier isn't the right plan anymore. Your code keeps resolving, every scan keeps being recorded, and the dashboard shows you an upgrade prompt instead of cutting you off. Genuine throttling only kicks in at traffic levels a real small-business code would never approach (think tens of thousands of scans per month on one free code) and is handled by the per-shortcode anti-abuse shield in §04 below, not by the tier allowance.
1,000,000 scans per year included. Beyond that, usage-based pricing kicks in — published when we publish the schedule (you'll see it in your account before you approach the cap). The 99th-percentile customer never hits this. Viral-scan events are covered under the same fair-use umbrella.
Same 1,000,000 scans per year included, same usage-based pricing above that. Business adds 3 seats, bulk CSV import, API access, and daily-granularity analytics — not a larger scan allowance on its own.
The following caps exist so that a single bad actor cannot degrade the service for every other customer. They are orders of magnitude above any legitimate use — none of them should ever fire for a real buyer. They are published here because 'hidden ceilings' are exactly the pattern our pillar article was written against.
A single shortcode may not be scanned more than 100 times per second. Above that, the redirect is delayed rather than served — the code does not break. This cap exists only to prevent a single code from being weaponised as a denial-of-service vector against the resolver. Normal viral-scan events never approach it.
An account may create at most 50 new codes in any rolling 24-hour window — via the dashboard or (when it lands) the management API. This is an anti-abuse ceiling, not a plan feature. A small business never approaches it; a script generating millions of codes as a spam vector hits it immediately.
Every API token is rate-limited to 600 requests per minute, sliding window, with standard X-RateLimit-* response headers and a 429 + Retry-After on over-limit. The management API is not yet live — this number is stated now because docs/02-api-spec.md commits to it, and we want one page to be the single source of truth whether the API is yet shipped or not.
Unlimited dynamic codes, subject to the code-creation rate ceiling above. The free tier is the product — not a trial — so unlimited means unlimited. Each free code carries a small 'made with heldqr.com' caption on its SVG export; paid tiers remove it.
Unlimited codes, subject to the code-creation rate ceiling above. 'Unlimited' means no per-plan code count — Ownqrcode sells one dynamic code for $15; we give unlimited dynamic codes on Free, and Pro at €9/month removes the caption and unlocks analytics. That is the difference.
This is the fair-use policy, not the Terms of Service. The TOS covers things this page does not — liability, refunds, data rights, governing law. The numbers here are binding; the TOS is where they are legally enforceable.
This page is also not the continuity commitment. If we ever stop operating, the continuity plan at /continuity takes over — 12 months notice, source published at month 6, redirect data published at month 9. The fair-use numbers above apply only while the service is running normally. The continuity plan is for when it isn't.