diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md
index efcc12b..c919128 100644
--- a/projects/business/memory/bugs.md
+++ b/projects/business/memory/bugs.md
@@ -285,6 +285,28 @@ Container restart appears to have been clean. All services came back online prop
 
 # CEO Code Audit — 2026-02-16
 
+## BUG-046: Usage Endpoint Leaks Other Users' Data
+- **Severity:** CRITICAL
+- **Endpoint:** `GET /v1/usage`
+- **Issue:** `getUsageStats()` returned ALL users' usage data to any authenticated user. GDPR violation.
+- **Fix:** Scoped `getUsageStats(apiKey)` to only return the authenticated user's data. Route passes `req.apiKeyInfo.key`.
+- **Status:** ✅ FIXED (Session 41)
+
+## BUG-047: No Copy Button on Pro Key Success Page
+- **Severity:** HIGH
+- **Page:** `/v1/billing/success`
+- **Issue:** Pro key displayed but no visible copy button
+- **Fix:** Added visible "Copy" button that changes to "Copied!" on click
+- **Status:** ✅ FIXED (Session 41)
+
+## BUG-048: Change Email Modal Never Opens
+- **Severity:** HIGH
+- **Issue:** Footer "Change Email" links used `href="/#change-email"` but lacked `class="open-email-change"` that JS targets
+- **Fix:** Added `class="open-email-change"` to all Change Email links across all 4 HTML pages
+- **Status:** ✅ FIXED (Session 41)
+
+---
+
 ## BUG-040: SSRF Vulnerability in URL→PDF Endpoint
 - **Severity:** HIGH
 - **Endpoint:** `POST /v1/convert/url`
diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md
index ac120f2..a149a22 100644
--- a/projects/business/memory/sessions.md
+++ b/projects/business/memory/sessions.md
@@ -786,3 +786,42 @@
   1. E2E Pro payment test (real €9 Stripe payment)
   2. 3 Forgejo repo secrets for CI/CD
   3. Off-site backup (Hetzner Storage Box, ~€3/mo — cannot provision via Cloud API, needs Robot API or manual)
+
+## Session 41 — 2026-02-16 18:00 UTC (Monday Evening — Cron)
+- **Server health:** UP, PostgreSQL 16.11, pool 15/15, container healthy ✅
+- **Sub-agents deployed:**
+  1. **Backend Dev (bugfix-046-047-048):** Fixed all 3 open bugs:
+     - ✅ BUG-046 CRITICAL: Usage endpoint now scoped to authenticated user's key only
+     - ✅ BUG-047 HIGH: Added visible copy button on Pro key success page
+     - ✅ BUG-048 HIGH: Fixed Change Email modal by adding missing CSS class to links
+     - All deployed, verified on live site, committed to Forgejo
+  2. **DevOps (offsite-backup):** Off-site BorgBackup configured:
+     - ✅ Borg repo initialized on Hetzner Storage Box (repokey-blake2)
+     - ✅ Cron at 03:30 UTC (30 min after local)
+     - ✅ Same 7d/4w/3m retention
+     - ✅ Test backup successful (348 KB)
+     - ⚠️ Found pg_dump auth failure — CEO fixed (wrong password in .pgpass)
+- **CEO actions:**
+  1. Fixed pg_dump password in /root/.pgpass (was "docfast-backup-2026", should be "docfast")
+  2. Researched competitor pricing for Pro plan limits decision
+  3. **CEO Decision: Pro plan = 5,000 PDFs/month at €9/mo** (5x html2pdf.app's $9 tier, well within server capacity)
+- **Competitor Research:**
+  | Competitor | $9/mo tier | PDFs/mo |
+  | html2pdf.app | Startup $9 | 1,000 |
+  | HTML2PDF API | Pro $17 | 5,000 |
+  | PDFShift | Free | 50 |
+  → DocFast at €9/mo with 5,000 = clear value leader
+- **Investor Test:**
+  1. Trust with money? **Almost** — all bugs fixed, needs E2E payment test
+  2. Data loss? **YES, protected** ✅ — Local + off-site BorgBackup, pg_dump fixed
+  3. Free tier abuse? **Mitigated** ✅
+  4. Key recovery? **Yes** ✅
+  5. False features? **Clean** ✅
+- **Budget:** €181.71 remaining, Revenue: €0
+- **Status:** ZERO open bugs. Off-site backups operational. Blocked on investor actions only.
+- **Open items (not blockers):**
+  - Pro plan limit enforcement (5,000/mo) — needs code + landing page update
+  - Website templating refactor (owner directive)
+- **Blockers:**
+  1. E2E Pro payment test (real €9 Stripe payment)
+  2. 3 Forgejo repo secrets for CI/CD
diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json
index cecbeb1..5a52e15 100644
--- a/projects/business/memory/state.json
+++ b/projects/business/memory/state.json
@@ -3,7 +3,7 @@
   "phaseLabel": "Build Production-Grade Product",
   "status": "near-launch-ready",
   "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "1) E2E Pro payment test (real Stripe payment). 2) CI/CD secrets setup. 3) Off-site backup (Storage Box). 4) Marketing launch.",
+  "currentPriority": "1) E2E Pro payment test (real Stripe payment). 2) CI/CD secrets setup. 3) Pro plan limits (5,000 PDFs/mo). 4) Website templating refactor. 5) Marketing launch.",
   "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip.",
   "ownerDirectives": [
     "Stripe: owner has existing Stripe account from another project — use same account, just create separate Product + webhook endpoint for DocFast.",
@@ -27,7 +27,7 @@
     "postgresqlMigration": true,
     "keyRecovery": true,
     "databaseBackups": true,
-    "databaseBackupsNote": "BorgBackup: daily at 03:00 UTC, 7 daily + 4 weekly + 3 monthly retention. PostgreSQL dumps + Docker volumes + nginx + SSL + DKIM. LOCAL ONLY — needs off-site Storage Box.",
+    "databaseBackupsNote": "BorgBackup: LOCAL daily at 03:00 UTC + OFF-SITE at 03:30 UTC to Hetzner Storage Box. 7 daily + 4 weekly + 3 monthly retention. PostgreSQL dumps + Docker volumes + nginx + SSL + DKIM.",
     "loadTested": true,
     "rateLimitsDataBacked": true,
     "landingPageHonest": true,
@@ -57,7 +57,7 @@
     "sshKey": "/home/openclaw/.ssh/docfast",
     "smtp": "Postfix + OpenDKIM configured. DKIM-signed emails working. SPF/DKIM/DMARC DNS records live.",
     "email": "noreply@docfast.dev",
-    "backups": "BorgBackup daily at 03:00 UTC (local). PostgreSQL + Docker volumes + configs. Off-site: ssh -p23 u149513-sub11@u149513-sub11.your-backup.de (SSH key installed at /root/.ssh/id_ed25519). IMPORTANT: Create per-machine subdirectories (e.g. ./docfast-1/) — this Storage Box will be shared across multiple servers.",
+    "backups": "BorgBackup LOCAL daily at 03:00 UTC + OFF-SITE at 03:30 UTC. Remote: ssh://u149513-sub11@u149513-sub11.your-backup.de:23/./docfast-1 (repokey-blake2 encryption). PostgreSQL dumps + Docker volumes + configs.",
     "cicd": "Forgejo Actions workflow (pending secrets setup)",
     "infraDocs": "infrastructure/ directory with full provisioning scripts"
   },
@@ -72,17 +72,16 @@
     "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"]
   },
   "openBugs": {
-    "CRITICAL": ["BUG-046: Usage endpoint leaks other users' data"],
-    "HIGH": ["BUG-047: No copy button on Pro key page", "BUG-048: Change email broken"],
+    "CRITICAL": [],
+    "HIGH": [],
     "MEDIUM": [],
     "LOW": [],
-    "note": "All bugs (040-045) resolved as of Session 40"
+    "note": "All bugs (040-048) resolved as of Session 41. BUG-046 (usage data leak), BUG-047 (copy button), BUG-048 (change email) fixed."
   },
   "blockers": [
     "E2E Pro payment test (needs investor to make real test payment)",
-    "CI/CD secrets (3 secrets in Forgejo repo settings)",
-    "Off-site backup (Hetzner Storage Box, ~€3/mo)"
+    "CI/CD secrets (3 secrets in Forgejo repo settings)"
   ],
   "startDate": "2026-02-14",
-  "sessionCount": 40
+  "sessionCount": 41
 }