Roadmap

Evidence-core sprint: “Early Access” becomes production-grade. These releases deliver the hardening that secures the audit value of the evidence package.

• v1.9.0 — Pro activation automatic after payment: Stripe webhook + server-gated Pro status, EARLY10 auto-disable at 10/10. (done)
• v1.9.1 — Evidence package hardening: atomic ZIP export, hash anchors per iteration. (done)
• v1.9.2 — PDF evidence package with archive metadata (foundation for PDF/A-3; formal veraPDF validation in v2.5+). (done)
• v1.9.4 — Public Verify URL: evidence package contains a verify address. External reviewers (auditor, insurer, authority) see status, manifest hash, and snapshot date without account access — no raw data exposure. Subscription-bound. (done)
• v1.9.7 — Full Stripe Customer Portal integration: plan switch, invoice download, cancellation from inside the portal. (done)
• v1.9.8 — Ten practice guides in the knowledge base (BetrSichV, DGUV V3, playground inspection, TrinkwV, ASR A2.2, etc.; German market focus). (done)
• v1.9.9 — Polish: pricing login-gate, mobile EN i18n, Pro-activation page overhauled, data audit. (done)
• v1.9.10 — Pricing anchor, trust section, Pro Team waitlist, founder seats live. (done)
• v1.9.11 — Audit PDF with brand footer and short verify token, printable evidence-package template as lead magnet. (done)
• v1.9.12 — Anonymous reach measurement with Plausible on public pages (no cookies, no personal data, EU-hosted). (done)
• v1.9.13 — One-time onboarding prompt after first login (two questions clarify the use case), QR code on the PDF evidence package, new explainer page “How does PflichtPilot work?”. (done)
• v1.9.14 — Master-data hardening in the background: server-side defaults for subscription / role / archive fields enforced on every insert, storage delete rule tightened. (done)
• v1.9.15 — Evidence attach in one step: file and DB row created server-side as a single closed operation, direct client inserts on evidence consistently rejected. (done)
• v1.9.16 — Onboarding answers reliably persisted in the profile, protections for sensitive profile fields (subscription status, role, Stripe link) further tightened. (done)
• v1.9.17 — Evidence integrity hotfix block: verify tokens stored as hash only, server-side Pro gating on evidence-package creation, missing evidence files surface as an explicit gap list instead of a silent error, structural branches/cycles in the duty chain now yield status FAIL, account deletion removes PflichtPilot-side data atomically and attempts Stripe cleanup as best-effort with per-step log, evidence rows immutable post-insert, more precise verify / hosting / privacy wording without absolute promises. (done)
• v1.9.18 — Wording refinements, new pricing layout, case-law section, storage-duration overview. (done)
• v1.9.19 — Knowledge base consolidated and search visibility extended. (done)
• v1.9.22 — Deepened knowledge page on DGUV V3 inspections. (done)
• v1.9.23 — Extended storage-duration overview. (done)

Final hardening round before the jump into the organization model. Several items originally planned for v1.10.0 have already shipped in the v1.9.x releases.

• v1.10.0 — Evidence-package PDF with archive metadata in the PDF Info dictionary (title, author, date, keywords); documented cleanup strategy for external payment master data in the account-deletion flow (Stripe subscription cancel + customer delete as best-effort, Stripe-side retention under § 147 AO disclosed). (done)
• v1.10.1 — Robust GDPR export (ZIP with all reachable data + transparent gaps.json), precise evidence-package status (FAIL on branched duty chains), transparent account deletion with per-step status, privacy notice precision (Brevo as email processor, §5a with IP/UA/language, §6 Plausible scope), pricing wording structured evidence package, onboarding modal with keyboard focus trap. (done)
• v1.11.0 — Automated retention enforcement: daily deletion of expired login codes (>30 days), reduction of Stripe payment-event records to duplicate-detection keys (>90 days), deletion of old evidence-package template requests (>12 months). §5a privacy notice without the prior maintenance hedge. (done)
• v1.11.1 — More robust Stripe cleanup on account deletion: the local link to the Stripe customer record is explicitly cleared regardless of Stripe API success; direct link to Stripe Support in the notice banner when a step cannot complete automatically. (done)
• v1.12.0 — Byte-for-byte hash check on the verify page: evidence-package ZIP includes manifest.json + manifest-hash.txt + verify-url.txt; verify page accepts manifest.json upload and computes SHA-256 locally in the browser (MATCH/MISMATCH). (done)
• v1.12.1 — Immutable evidence, tighter verify/export binding, and clearer plan wording: evidence entries no longer individually deletable in operation, account deletion with an honest partial status, verify check scoped clearly to manifest.json, ZIP bound server-side to its export manifest, administration/billing functions restricted to the app's own domain. (done)
• v1.12.2 — Knowledge & practical-guide page polish: tighter note under the template form, practical checklists without an extra bullet (checkboxes only). (done)
• v1.12.3 — Editorial consistency: uniform, careful wording around records and integrity on the landing and knowledge pages (DE/EN). (done)

PflichtPilot becomes multi-user capable. Pro Solo stays what it is today; Team and Business build on top.

• v2.0 — Pro Team bookable: multi-user per organization, confirmation step, role model, audit log.
• v2.4 — Pro Business bookable: multi-tenant, branding customization, business export profiles.

• v2.5 — Trusted Timestamp / Anchoring: cryptographically signed timestamps on documentation chains, optionally available.
• v2.5+ — Full ISO 19005-3 (PDF/A-3) conformance for evidence packages: embedded fonts, sRGB OutputIntent, veraPDF-validated. Will be implemented on concrete customer demand.
• v3.0 — Enterprise: SSO, on-prem hosting, SLA.

From the manifesto — things we will not build:

• No push notifications to force attention
• No vanity dashboards (94%-done tricks)
• No AI-generated evidence
• No content analysis of uploaded files
• No data sales

Order: mostly fixed — each version has a clear focus.
Dates: open — we ship when ready.
Scope: may shift; changes are documented in the version history.
Subscribe to updates: RSS feed at /meta/changelog.xml.