QR Code Tools & Generator

Original research · Published 2026-04-25 · Last reviewed 2026-04-25

2026 QR Code Platform Privacy & Tracking Disclosure Index

A first-of-its-kind composite scoring of 10 dynamic QR code platforms on what they actually disclose: scan-data scope, GDPR pages, CCPA opt-out links, retention windows, third-party data sharing, and end-user-facing notice + deletion flows. Score range 0 (opaque, maximal collection) → 100 (transparent, minimal). Every cell sourced.

↓ Download CSV dataset Methodology Sources (25)

QR Tiger scores 8/100 — the lowest privacy-hygiene posture in the benchmark. The platform's marketing pages claim scan data is "anonymized prior to database storage," but the privacy policy provides no methodology, no aggregation detail, no audit reference. ISO 27001 — heavily marketed by QR Tiger — is a security certification, not a privacy one. Combined with no dedicated GDPR notice, no CCPA opt-out link, and no enumerated subprocessors, the gap between marketing claim and policy substantiation is the widest in this dataset.

— QR Code Tools & Generator QR Privacy & Tracking Disclosure Index, April 2026

Ranking — most transparent / lowest collection to most opaque / highest collection

# Vendor Score Type CCPA GDPR Named partners Retention Self-serve
1 GoQR.me 93.5/100 free-static Yes Page n/a ≤30d / none Partial
2 Hovercode 47.0/100 paid-dynamic No Page Named Unstated Partial
3 Flowcode 47.0/100 paid-dynamic Yes In ToS Vague Unstated Partial
4 QRCodeChimp 44.5/100 paid-dynamic No In ToS Named ≤180d Yes
5 QR Code Monkey (free) 36.5/100 free-static No No Vague Unstated Partial
6 Scanova 30.0/100 paid-dynamic No In ToS Vague Unstated Partial
7 Bitly 28.0/100 paid-dynamic No In ToS Named Unstated Partial
8 Uniqode (Beaconstac) 20.5/100 enterprise No Page None Unstated No
9 T2M (URL Shortener QR) 18.0/100 paid-dynamic No In ToS Vague Unstated No
10 QR Tiger 8.0/100 paid-dynamic No No Vague Unstated No

Higher score = more transparent and lower-data-collection. Methodology in §Methodology.

The CCPA opt-out gap is the most striking pattern in the dataset. Of 10 vendors scored, exactly ONE (Flowcode) surfaces a documented CCPA "Your Privacy Choices" / "Do Not Sell" mechanism — and that vendor also collects the most behavioral and inference data. The other 9 vendors either assert non-sale (Bitly, T2M, QR.io) or omit the topic entirely. For California operators, this is not a compliance theory — it is the difference between a one-click opt-out flow and an email-and-wait support ticket.

— Composite finding, 10-vendor benchmark

Static-only generators (GoQR.me, QR Code Monkey free tier) score highest by ARCHITECTURE, not by policy. Their hygiene score is high because there is no server in the scan path — privacy via non-collection. Operators choosing a privacy-first stack should treat "static-only generator + zero scan analytics" as the ceiling of what dynamic vendors can offer with policy alone. If you do not need scan analytics, the cheapest path to a clean privacy posture is to not collect data at all.

— Architectural finding, free-static cohort

Vendor-by-vendor detail

GoQR.me

Privacy hygiene: 93.5/100

free-static

→ Vendor privacy policy

Scan data scope

NONE — generates static QR codes only; "no further communication with our servers when the QR code is scanned."

GDPR notice

Yes — separate German-language data-protection page (/de/rechtliches/datenschutz-goqrme.html).

CCPA opt-out

Not applicable — no scan data collected to opt out of.

Retention period

QR image deleted ~30s after delivery from cache; no scan analytics collected.

Third-party sharing

No third-party sharing of scan data — none collected.

End-user notice on scan

Not required — code contains only what creator typed; no server-side tracking.

End-user data deletion

Not applicable — nothing personal collected from scanners by default.

Best for: Privacy-conscious creators who only need a static QR (menu, business card, event flyer) and explicitly do NOT want scan analytics.

Worst for: Marketers who want analytics — GoQR.me's free product has none. Their paid QR-Server platform offers tracking but is a separate product.

The privacy floor in this benchmark — by being a static-only generator, GoQR.me sidesteps almost every privacy-policy concern dynamic QR vendors face. 0 collection means 0 misuse risk.

Methodology footnote: Self-serve deletion partial because there is nothing to delete — graded 6/12.5 to reflect that the policy doesn't describe an end-user request flow because it doesn't need one.

Sources: [1] [2]

Hovercode

Privacy hygiene: 47.0/100

paid-dynamic

→ Vendor privacy policy

Scan data scope

Truncated IP + device user-agent (browser/OS) by default. GPS only with explicit end-user consent.

GDPR notice

Yes — dedicated GDPR section on same privacy page with subsections on legal basis, data subject rights, complaints procedures.

CCPA opt-out

Not present — policy is GDPR-first; no California-specific "Do Not Sell" link visible.

Retention period

No scan-analytics-specific window stated; account/financial records retained ≤7 years (HMRC).

Third-party sharing

Specific partners NAMED with privacy-policy links: Stripe (payments), Postmark (email), DigitalOcean (hosting), Plausible (analytics), HelpScout (support), Sentry (error monitoring).

End-user notice on scan

No standardised pre-scan notice; relies on QR creator to inform scanners.

End-user data deletion

GDPR-style data subject request via senior data controller; not self-serve.

Best for: EU-based operators who value the rare combination of named subprocessors + IP truncation + opt-in-only GPS — three signals that almost no other dynamic vendor stacks together.

Worst for: California/US operators who need a documented CCPA opt-out flow and a stated retention period.

Best-in-class GDPR posture for a paid-dynamic vendor: IP truncation by default, opt-in GPS, named subprocessor list. Loses points for missing CCPA link and unstated scan retention window.

Sources: [3] [4]

Flowcode

Privacy hygiene: 47.0/100

paid-dynamic

→ Vendor privacy policy

Scan data scope

IP + geolocation (precise with consent, IP-derived otherwise) + OS/browser/device model + unique cookie IDs + record of QR scanned + INFERENCES about location/interests.

GDPR notice

No dedicated GDPR page; integrated into Section 6 ("Legal Basis for Processing") of main privacy policy.

CCPA opt-out

Yes — explicit "Your Privacy Choices" form at app.flowcode.com/privacyrequest. Most prominent CCPA opt-out in the benchmark.

Retention period

Not explicitly stated for scan/QR data; general "only as long as necessary" language.

Third-party sharing

Categories listed (service providers, Brands and Creators, affiliates, business partners) but no specific named partners.

End-user notice on scan

Flowcode-branded scan landing page advertises privacy.flowcode.com upfront — closest thing to point-of-scan notice in the benchmark.

End-user data deletion

Email or web form for erasure under GDPR/CCPA; no self-serve dashboard for end users.

Best for: US enterprise marketers who want a documented CCPA opt-out flow and on-scan privacy-link branding — Flowcode is the only vendor pairing those two signals.

Worst for: Operators who need MINIMAL collection — Flowcode collects the most behavioral and inference data of any vendor in this benchmark.

Paradox: Flowcode has the most user-friendly CCPA flow AND the most aggressive scan-data collection in the dataset. Their pre-scan privacy branding is genuinely unique — but what users see disclosed is also what gets ingested.

Sources: [5] [6] [7]

QRCodeChimp

Privacy hygiene: 44.5/100

paid-dynamic

→ Vendor privacy policy

Scan data scope

Browser type + device details + IP + IP-derived location (city/state/country). Precise GPS only with browser permission. No behavioral inference disclosed.

GDPR notice

No standalone GDPR page; main policy "designed to comply with GDPR." Data Processing Agreement available by email.

CCPA opt-out

No dedicated "Do Not Sell" link; California rights via account settings or email request.

Retention period

Server/access logs ≤180 days; scan data retention not explicitly bounded.

Third-party sharing

Categories listed; payment processors (Stripe, PayPal, RazorPay) and Google Analytics named specifically. SOC 2 Type II.

End-user notice on scan

No standard pre-scan notice; account holder responsible for downstream notice.

End-user data deletion

Self-serve: Dashboard → Profile → Delete Account (some backup retention disclosed honestly).

Best for: SMBs who want self-serve account deletion + named payment processors + a 180-day server-log window over enterprise-style opacity.

Worst for: California operators — no explicit CCPA opt-out link, account-settings flow only.

The retention window for server logs is one of only two explicit numerical retention disclosures in this benchmark (Hovercode's 7yr is the other, and that's for accounts not scans). Self-serve deletion is best-in-class.

Sources: [8] [9]

QR Code Monkey (free)

Privacy hygiene: 36.5/100

free-static

→ Vendor privacy policy

Scan data scope

Free version offers NO scan analytics — site collects browser + IP + cookies + page interaction on its own marketing site, not on QR scans.

GDPR notice

Limited; site uses general privacy/cookie language without dedicated GDPR notice page surfaced.

CCPA opt-out

Not surfaced.

Retention period

Not stated; free product uses site-wide cookies for usage tracking on the GENERATOR site, not on scans.

Third-party sharing

Standard ad/analytics partners implied via cookie banners; no enumerated subprocessor list.

End-user notice on scan

Not applicable for free static QRs (no server in scan path).

End-user data deletion

No account required for the free generator — minimal data to delete.

Best for: Anyone needing a no-account static QR — privacy via non-collection. Free generator with no signup means no data to misuse.

Worst for: Marketers wanting analytics — free QR Code Monkey provides none. Their paid analytics tier was not in scope for this scoring window.

Architecturally similar to GoQR.me at the free tier (no scan tracking) but with weaker policy documentation. The lack of a formal GDPR page and CCPA opt-out is a documentation gap, not a data-collection one.

Methodology footnote: Scored only the free tier (per scope: "free"). The paid analytics tier — if added in a future update — would change scan-scope, retention, and sharing scores materially.

Sources: [24] [25]

Scanova

Privacy hygiene: 30.0/100

paid-dynamic

→ Vendor privacy policy

Scan data scope

Per Scanova's public tracking guide: scan location (IP-derived + GPS), time/date, device type/OS, browser, scroll depth, link clicks, button interactions on landing page. Personal data via lead-gen forms only with consent.

GDPR notice

Integrated into main privacy notice; ISO/IEC 27001:2022 + GDPR + SOC2 claimed.

CCPA opt-out

Not specifically located in primary policy; users may request download or deletion.

Retention period

Not specified for scan analytics; encryption + access controls described.

Third-party sharing

Vague — third-party apps "thoroughly vetted for data security and GDPR compliance" but not enumerated.

End-user notice on scan

Scanova's public guide states end-users informed at each stage of data collection — but pre-scan disclosure depends on creator implementation.

End-user data deletion

Customers can request data download or deletion at any time per Scanova guide; not described as fully self-serve.

Best for: Operators who want one of the few vendors openly disclosing scroll-depth + on-page interaction tracking — at least Scanova tells you they collect it.

Worst for: Privacy-minimisers — Scanova's scan tracking is explicitly behavioral (scroll depth, button clicks) and few competitors disclose this much.

The "honest about being aggressive" vendor: Scanova's public docs detail more behavioral data points than peers, which is good for transparency and bad for collection-minimisation. The main privacy notice page requires support-portal access (403 on direct fetch) — a friction signal.

Methodology footnote: Direct fetch of scanova.io/privacy-policy.html returned 403 during research window. Scoring relied on support-portal privacy notice + Scanova's own public tracking guide. Score may shift if main policy adds CCPA opt-out or retention language.

Sources: [20] [21]

Bitly

Privacy hygiene: 28.0/100

paid-dynamic

→ Vendor privacy policy

Scan data scope

IP + IP-derived location + device settings (browser/OS/language) + time/date of access + cookies + mobile advertising identifiers + broader "internet or other electronic network activity."

GDPR notice

No standalone GDPR page; integrated "Rights under the GDPR" section + dedicated EU contact (privacy-eu@bit.ly). Joint controllers Bitly Inc + Bitly Europe GmbH.

CCPA opt-out

No prominent "Do Not Sell" link — policy asserts Bitly does not "sell" or "share" under CCPA terms. Rights via privacy@bit.ly contact.

Retention period

User data anonymised or erased after 3 years from last contact. Aggregated/anonymised data retained indefinitely. Scan-specific window not isolated.

Third-party sharing

Specific partners NAMED: Google (Analytics, Ads, Tag Manager, Maps), Facebook (Comments, Messenger, Connect), email marketing providers, payment processors.

End-user notice on scan

No pre-scan notice; account-holders see scan history; scanned link products cannot be deleted even if account deleted.

End-user data deletion

Self-serve account deletion exists; "Bitly Products that you have created and shared cannot be deleted or disabled" — partial.

Best for: Operators who want named subprocessors (Google, Facebook) and an explicit non-sale assertion from a vendor with a public Data Privacy Statement and active joint-controller GDPR setup.

Worst for: Privacy-minimisers — Bitly's scan capture is among the most comprehensive (incl. mobile advertising IDs and "electronic network activity") and Bitly OWNS most dynamic QR scan data globally.

High-volume vendor with a mature joint-controller GDPR setup and named subprocessors — but the scan-data scope is broad and the persistence of created links beyond account deletion is a unique footgun.

Sources: [10] [11] [12] [13]

Uniqode (Beaconstac)

Privacy hygiene: 20.5/100

enterprise

→ Vendor privacy policy

Scan data scope

IP + non-precise geographic location + mobile device info. Scan-specific itemisation absent — focus is website-visitor data.

GDPR notice

Yes — dedicated /gdpr-compliance page linked from footer with GDPR badges. Updated 2018 to align.

CCPA opt-out

Not found — policy references California rights generally; no dedicated "Do Not Sell My Personal Information" mechanism.

Retention period

"Where ongoing legitimate business requires retention" — no specific timeframe for scan or analytics data.

Third-party sharing

Vague + partial detail; references "business partners, suppliers, sub-contractors, advertisers & advertising networks." Per third-party industry analysis (Lucid Privacy + pageloot), Uniqode "shares and sells scan data with affiliates, advertisers & ad networks, analytics providers, co-promotional partners, and marketing services." Stripe named for payments.

End-user notice on scan

Policy directs end-users to contact the Customer (not Uniqode) for data subject requests — friction-heavy.

End-user data deletion

No self-serve portal mentioned for scan data or end-user profiles.

Best for: Enterprises who need GDPR + SOC 2 Type 2 + HIPAA + ISO 27001:2022 compliance badges and have legal teams to negotiate custom DPAs.

Worst for: Anyone who needs to verify what happens to scan data — independent privacy reviewers (Lucid Privacy, pageloot) report Uniqode SELLS scan data to advertisers, which the policy itself does not disclose with that specificity.

Strong compliance-badge stack (GDPR/SOC 2/HIPAA/ISO) with the most opaque actual scan-data flow in the benchmark. The gap between certification claims and what third-party privacy reviewers document is the largest in this dataset.

Methodology footnote: Sharing scored 0 because of cited third-party documentation that Uniqode shares/sells scan data — but the policy itself uses vague category language. If a future Uniqode update names specific advertiser partners, this score rises.

Sources: [14] [15] [16] [17]

T2M (URL Shortener QR)

Privacy hygiene: 18.0/100

paid-dynamic

→ Vendor privacy policy

Scan data scope

Generic "location" + IP via automatic technologies; QR-specific itemisation absent.

GDPR notice

GDPR rights integrated in Section 11 of unified policy; no separate page. SOC 2 Type II + GDPR + CCPA + PIPEDA claimed.

CCPA opt-out

No dedicated opt-out link; policy asserts "we do not sell personal data."

Retention period

Vague — "as long as necessary to provide our services or as required by law." No scan-specific window.

Third-party sharing

Subprocessors list URL referenced (t2mio.com/subprocessors); not enumerated in main text.

End-user notice on scan

No pre-scan notice described.

End-user data deletion

Email-only via support@t2mio.com; "1–2 business days" turnaround. Not self-serve.

Best for: Operators who value cookie-minimalism (T2M says it uses only necessary cookies + does not run ad cookies) and a public subprocessors page.

Worst for: Anyone who needs disclosed retention windows or a self-serve deletion flow.

The "no ad cookies" stance is a real differentiator at the platform level, but the privacy policy fails to itemise QR scan data and lacks a CCPA opt-out link — patterns that compete poorly with Hovercode at a similar transparency promise.

Sources: [22] [23]

QR Tiger

Privacy hygiene: 8.0/100

paid-dynamic

→ Vendor privacy policy

Scan data scope

"Non-personally identifiable statistics about usage" — not itemised. Form metadata: submission time + device/browser + IP. Marketing pages claim "anonymized prior to database storage" but no detail on hash/aggregation method.

GDPR notice

No dedicated GDPR notice; references Singapore compliance. Multi-language site but no jurisdictional split.

CCPA opt-out

Not mentioned in privacy policy.

Retention period

Account-tied data "as long as the vCard Owner maintains an active account"; no scan-analytics retention window.

Third-party sharing

Vague — "service providers (subprocessors)" for hosting/security/analytics/support; no named partners.

End-user notice on scan

No visitor-facing privacy notice described for QR scans.

End-user data deletion

No self-serve end-user deletion tool described.

Best for: Operators primarily concerned with ISO 27001 certification badge — QR Tiger heavily markets that credential.

Worst for: Anyone who needs to verify the "anonymized" claim — the policy provides no details on aggregation, hashing, or differential-privacy methodology.

The "anonymized prior to database storage" claim on marketing pages is the textbook example of "anonymous without proof" — no methodology, no audit, no third-party verification cited. ISO 27001 is a security standard, not a privacy one.

Methodology footnote: Marketing-transparency scored 0 because the marketing pages make a strong "anonymized" claim that the privacy policy does not back up with method or proof. A future update with anonymisation methodology would lift this to 8 or 12.5.

Sources: [18] [19]

Methodology

Data collection window: April 23–25, 2026. Each vendor's published privacy policy, GDPR/CCPA notices, and product analytics documentation were reviewed. Where the primary policy URL was unreachable (Scanova returned HTTP 403, Visualead's m.visualead.com returned a TLS error), we fell back to the support-portal copy or third-party privacy reviews and noted the substitution in the per-vendor card's methodology footnote.

Privacy hygiene scoring (0–100, higher = more transparent and minimal):

  • 1. Marketing-page tracking transparency (0 / 4 / 8 / 12.5): 12.5 if marketing pages explicitly state what's tracked; 8 if "analytics" mentioned without itemisation; 4 if silent; 0 if vendor claims "anonymous" without methodology.
  • 2. Scan data-collection scope (0 / 4 / 8 / 12.5): 12.5 location-only; 8 location + device; 4 location + device + IP; 0 if behavioral inferences also collected. Less collection scores higher.
  • 3. Dedicated GDPR notice page (0 / 6 / 12.5): 12.5 if standalone /gdpr-compliance page exists with detailed disclosures; 6 if integrated GDPR section in main policy; 0 if absent.
  • 4. CCPA "Do Not Sell" / "Your Privacy Choices" link (0 / 12.5): 12.5 if visible mechanism (link, form) for California residents to opt out of sale/sharing; 0 if absent or email-only.
  • 5. Third-party data sharing documented (0 / 4 / 8 / 12.5): 12.5 if no sharing (architectural); 8 if specific subprocessors named in main policy; 4 if vague categories only; 0 if undisclosed or contradicted by third-party privacy reviewers.
  • 6. Scan-data retention period stated (0 / 6 / 12.5): 12.5 if ≤30 days or non-collection; 6 if ≤180 days; 0 if unstated, "as long as necessary," or unbounded.
  • 7. End-user-facing privacy notice on scan (0 / 6 / 12.5): 12.5 if vendor surfaces scan-time privacy link or notice (e.g. branded landing page with privacy URL); 6 if dependent on creator implementation; 0 if absent.
  • 8. Self-serve end-user data export/deletion (0 / 6 / 12.5): 12.5 if true self-serve flow (dashboard delete, public form); 6 if partial (account deletion exists but residual data persists); 0 if email-only or absent.

Important disclosures and limitations:

  • This index measures DISCLOSED policy + DOCUMENTED practice. It does NOT audit actual data flows, server-side telemetry, or downstream advertiser handoffs. A vendor with a clean policy could still mishandle data; a vendor with a vague policy could still be operationally hygienic. Where independent privacy reviewers (Lucid Privacy, pageloot) document SPECIFIC vendor data-sale practices that contradict policy, we cite that in the per-vendor card and adjust scoring accordingly (Uniqode case).
  • "Static-only" generators (GoQR.me, QR Code Monkey free tier) score high because they don't collect scan data. This is privacy-via-non-collection, not privacy-via-good-policy. Operators who NEED dynamic analytics cannot use these as substitutes.
  • Marketing-claim vs. policy-substantiation gaps are a recurring pattern. QR Tiger claims "anonymized prior to database storage" without methodology; Uniqode claims GDPR + SOC 2 + HIPAA + ISO 27001 simultaneously while leaving scan-data sharing in vague-category language. Compliance certifications and privacy hygiene are correlated but not identical.
  • Three vendors initially scoped (Visualead, QR.io, T2M) had limited policy detail in scan-specific terms. Visualead has additionally CLOSED new signups per their site footer — included for historical completeness only.
  • Free-tier scoring is for the FREE product as documented. Paid tiers from the same vendor (e.g. QR Code Monkey paid analytics, GoQR.me's QR-Server) are different scope and would re-score.
  • This is a snapshot. Privacy policies update — the verifiedOn marker is 2026-04-25, lastReviewed marker 2026-04-25T00:00:00Z. Re-verification cadence: quarterly, with interim updates triggered by material policy changes flagged by QrBunny's policy-monitor cron.

What this index does NOT measure: product quality, scan reliability, dynamic-QR analytics depth/accuracy, customer support, pricing, or affiliate-program terms. For a complementary product-quality analysis see our Best QR Code Generators 2026 ranked guide and Q2 2026 QR Pricing Report.

Update cadence: Privacy hygiene scores re-verified quarterly; vendor privacy policy changes that materially shift a score trigger an interim update with a "lastReviewed" timestamp revision. The CSV mirror is regenerated alongside.

Disclosure: QR Code Tools & Generator earns affiliate commissions from some QR-platform vendors covered in this index. Affiliate relationships do not affect scoring — the highest-affiliate-revenue vendor in our portfolio (Uniqode/Beaconstac) scored 20.5/100, near the bottom. Methodology is mechanical and source-driven.

License: CC BY 4.0. Cite as: "2026 QR Code Platform Privacy & Tracking Disclosure Index, QR Code Tools & Generator, 2026-04-25. Available at https://qrbunny.com/2026-qr-privacy-tracking-disclosure-index."

Sources

  1. [1] GoQR.me — Privacy & safety page (no scan-side communication; QR cache deleted ~30s)
  2. [2] Lucid Privacy — "QR Codes: Useful Tool, or Privacy Disaster?" (industry survey)
  3. [3] Hovercode — Privacy Policy (named subprocessors: Stripe, Postmark, DigitalOcean, Plausible, HelpScout, Sentry; truncated IP)
  4. [4] Hovercode — GDPR section (in same policy; data-controller contact + data-subject-rights breakdown)
  5. [5] Flowcode — Privacy Policy (IP + cookie IDs + inferences; "record of the specific QR Code you scanned")
  6. [6] Flowcode — "Your Privacy Choices" form (CCPA opt-out)
  7. [7] Flowcode — CCPA security page
  8. [8] QRCodeChimp — Privacy Policy (browser+device+IP; 180-day server logs; self-serve account delete)
  9. [9] QRCodeChimp — Analytics guide (scan location/device/frequency)
  10. [10] Bitly — Privacy Policy (IP + advertising IDs + "electronic network activity"; 3yr anonymisation; named subprocessors Google/Facebook)
  11. [11] Bitly — Cookie Policy
  12. [12] Bitly — Data Privacy Statement (joint controllers Bitly Inc + Bitly Europe)
  13. [13] Bitly Europe — DPA (PDF, GDPR Art. 28 processor terms)
  14. [14] Uniqode — Privacy Policy (vague third-party categories; non-precise geo)
  15. [15] Uniqode — GDPR Compliance page
  16. [16] pageloot — "QR Code Privacy Laws: A Compliance Guide" (third-party documentation that Uniqode/Flowcode/QRCodeChimp share/sell scan data)
  17. [17] Lucid Privacy — Independent QR-platform privacy review
  18. [18] QR Tiger — Privacy Policy (Singapore-compliance; "anonymized prior to database storage" without methodology)
  19. [19] QR Tiger — "How QRTIGER Handles Scanners and Users' Data" (marketing page making the anonymisation claim)
  20. [20] Scanova — Privacy Notice (support portal — main /privacy-policy.html returned 403 during research window)
  21. [21] Scanova — "Can QR Codes Be Tracked?" (vendor disclosure of scroll depth + link click + button-interaction tracking)
  22. [22] T2M — Privacy Policy (no scan-specific itemisation; subprocessors list referenced but not enumerated in main text)
  23. [23] T2M — Subprocessors list (referenced)
  24. [24] QR Code Monkey — Generator landing page (free static; no analytics on free tier)
  25. [25] Scanova review — "Is QR Code Monkey Safe in 2026?" (third-party assessment)

Related resources

Get the monthly roundup

One email per month. New comparisons, price changes, and the rare deal worth knowing about. No spam, unsubscribe in one click.