Every Bitcoin tool owes an answer to: what happens to my coins if you go away?

Custodial services say “your funds are safe with our partners,” which trades us for someone else who can also disappear. Better services say “you can export everything,” which is true but assumes you knew to do it before we shut down.

Our answer is structurally different. It’s not a promise — it’s the architecture.

Three buckets, one of them surprisingly empty

YOU Private keys Seed phrase Signed transaction Heir handoff kit (PDF) Right to spend, always BITHERITANCE Your email Copy of signed tx xpub (opt-in) Alert subscriptions No private keys. Ever. BITCOIN Locktime enforcement UTXO ownership Final settlement Anti-double-spend
The middle column is intentionally small. We can't custody what we never see.

The WASM that builds and signs your transaction runs in your browser. Your wallet (Sparrow, Coldcard, Ledger, whatever) does the actual signing. Our server gets the output — a signed transaction hex — but never the input: your seed or private keys.

This is enforced by where the code runs, not by us promising to behave. There’s no admin button labeled “spend user’s bitcoin.” It’s not in the codebase because we’d have to invent a whole new architecture to put it there.

So if we shut down

You have the package on disk. Nothing changes for the inheritance. The heir broadcasts via:

  • Sparrow: Tools → Load Transaction → paste hex → Broadcast
  • Electrum: Tools → Load transaction → From text → Broadcast
  • Bitcoin Core CLI: bitcoin-cli sendrawtransaction <hex>
  • mempool.space’s broadcaster, blockstream.info’s broadcaster — both have a “paste raw tx” tool

The handoff PDF lists exactly these commands. We can’t make sure the heir uses them. We can make sure they’re written down somewhere the heir can find them.

You never exported. While we’re still up, the Export your data button in Settings gives you a JSON dump of everything we hold for you. Worth doing now even if we don’t shut down — it’s your offline backup.

We get hacked. Worst case the attacker gets: emails, saved tx hex, xpubs you opted to save. None of those let them spend Bitcoin. The signed transactions go where they were always going (your heir’s address). xpubs derive addresses but can’t sign. Privacy is harmed; funds aren’t.

What you still trust us about

Honest list, narrow:

  • The deployed binary matches the open-source repo
  • We don’t push a backdoored update tomorrow
  • The chain status we report is honest (independently verifiable on any block explorer)

What’s not on that list: we hold your funds safely. We literally can’t.

That’s the difference. Every custodial Bitcoin product is one breach away from disaster. Bitheritance is one breach away from a privacy incident and a bad week. Funds stay where Bitcoin says they stay.