Our pillar article commits in writing to publishing every rate and cap Heldqr enforces. This is that page. The numbers on the redirect path, the management API, and the anti-abuse shields are all below — including the ones we hope nobody ever trips.
A scan of your printed QR code is a request from your customer's phone. Throttling it is throttling your customer. We do not rate-limit the redirect path at heldqr.io/:shortcode — no per-IP ceiling, no per-shortcode slow-roll, nothing that would present a dead code to someone in front of your menu at 7pm on a Friday.
Abuse on the redirect path (scan-farming attacks, flood scripts) is handled out of band. See the 'Anti-abuse shields' section below.
Scans cost us compute and storage. Every tier includes a scan allowance. Going over the allowance is not a deactivation event — per the continuity plan, your code keeps resolving. What changes is the analytics tail and, on the commercial tiers, whether usage-based billing kicks in.
100 scans per month per code is your included allowance. Going over is not an abuse event — it's a signal that the free tier isn't the right plan anymore. Your code keeps resolving, every scan keeps being recorded, and the dashboard shows you an upgrade prompt instead of cutting you off. Genuine throttling only kicks in at traffic levels a real small-business code would never approach (think tens of thousands of scans per month on one free code) and is handled by the per-shortcode anti-abuse shield in §04 below, not by the tier allowance.
1,000,000 scans per year included. Beyond that, usage-based pricing kicks in — published when we publish the schedule (you'll see it in your account before you approach the cap). The 99th-percentile customer never hits this. Viral-scan events are covered under the same fair-use umbrella.
Same 1,000,000 scans per year included, same usage-based pricing above that. Business adds 3 seats, bulk CSV import, and daily-granularity analytics — not a larger scan allowance on its own.
The following caps exist so that a single bad actor cannot degrade the service for every other customer. They are orders of magnitude above any legitimate use — none of them should ever fire for a real buyer. They are published here because 'hidden ceilings' are exactly the pattern our pillar article was written against.
A single shortcode may not be scanned more than 100 times per second. Above that, the redirect is delayed rather than served — the code does not break. This cap exists only to prevent a single code from being weaponised as a denial-of-service vector against the resolver. Normal viral-scan events never approach it.
An account may create at most 5000 new codes in any rolling 24-hour window — via the dashboard or (when it lands) the management API. This is an anti-abuse ceiling, not a plan feature. A small business never approaches it; a script generating millions of codes as a spam vector hits it immediately.
Every API token is rate-limited to 600 requests per minute, sliding window, with standard X-RateLimit-* response headers and a 429 + Retry-After on over-limit. The management API is not yet live — this number is stated now because docs/02-api-spec.md commits to it, and we want one page to be the single source of truth whether the API is yet shipped or not.
Each account may run the self-serve 'download my data' export at most 1 time per minute. This is a per-account abuse shield on the streaming export path — it does not cap how often you can export per day, only how fast successive clicks can fire. A human clicking the button never approaches it.
The public QR image URLs (SVG and PNG downloads) are limited to 120 requests per minute per IP address, answered with 429 + Retry-After above that. Embedding your QR image on a page is unaffected — each visitor fetches it from their own address — and a hand-run bulk download never sustains two requests per second. This shield only exists so a single source cannot burn server CPU by re-rendering one image in a loop.
Unlimited dynamic codes, subject to the code-creation rate ceiling above. The free tier is the product — not a trial — so unlimited means unlimited. Each free code carries a small 'made with heldqr.com' caption on its SVG export; paid tiers remove it.
Unlimited codes, subject to the code-creation rate ceiling above. 'Unlimited' means no per-plan code count — Ownqrcode sells one dynamic code for $15; we give unlimited dynamic codes on Free, and Pro at €9/month removes the caption and unlocks analytics. That is the difference.
The shortcode is the slug after heldqr.io/ — the part printed on your artefact. On Free it is system-assigned: a short random string you don't choose. Pro and Business can set a custom shortcode: 3 to 32 characters, letters, digits, hyphens or underscores, starting with a letter or digit. Either way it is fixed once the code is live — it's already on the print run.
This is the fair-use policy, not the Terms of Service. The TOS covers things this page does not — liability, refunds, data rights, governing law. The numbers here are binding; the TOS is where they are legally enforceable.
This page is also not the continuity commitment. If we ever stop operating, the continuity plan at /continuity takes over — 12 months notice, source published at month 6, redirect data published at month 9. The fair-use numbers above apply only while the service is running normally. The continuity plan is for when it isn't.