Denso Wave invented the QR code in 1994 and deliberately waived the patent rights. The specification is an open ISO standard. Generating one takes three lines of Python. Yet the "QR code generator" industry is a $13 billion market where companies charge $89 a month for what is, functionally, encoding a string into a 2D barcode.
QR encoding is an open ISO standard with expired patents; any library can generate one offline in three lines of code. What the paid vendors actually sell is a redirect server: when your subscription lapses, their server stops resolving the link and every printed card, menu, or invitation goes dead. Use static codes for permanent URLs. If destinations must change later, point the code at a domain you control, not theirs.
Updated April 2026: Added analysis of 202 real one-star reviews across Trustpilot and Sitejabber, the GDPR Article 17 account-hostage angle, Uniqode's finding that 52% of consumers have scanned a dead QR code, and refreshed 2026 market numbers (3B today to 3B by 2030, with dynamic codes now holding 65%+ of market share).
I've spent years building systems that genuinely need infrastructure: voice AI processing real-time audio streams across government networks, a push notification platform handling 30 million concurrent connections. Those problems justify servers, subscriptions, engineering teams. A QR code is a deterministic encoding of text into a grid of black and white squares. The algorithm runs on your phone. No server required. Nothing to subscribe to. Yet Bitly acquired QR code generator Egoditor for enough cash and stock to create a combined $75 million ARR company, selling access to an algorithm that ships free in every programming language on earth.
The Math Behind the Absurdity
Here is a complete QR code generator in Python:
import qrcode
img = qrcode.make("https://example.com")
img.save("qrcode.png")Here it is in JavaScript, running entirely in your browser:
new QRCode(document.getElementById("qrcode"), "https://example.com");That's it. No API key. No server. No monthly fee. The python-qrcode library is about a thousand lines of code; the browser-based qrcode.js is even smaller. These aren't wrappers around proprietary engines. QR encoding is an open standard published as ISO/IEC 18004. Anyone can implement it. Thousands have. The core patent, US 5,726,435 — "Optically Readable Two-Dimensional Code and Method and Apparatus Using the Same", was filed by Denso engineers Masahiro Hara and Motoaki Watabe in 1995, granted in 1998, and expired in 2015. The Japanese equivalent expired in 2014. Denso Wave has publicly stated it will not exercise patent rights on standardized QR codes, and Hara himself has given interviews describing the non-enforcement as a deliberate choice made to encourage adoption.
So what exactly are you paying $89 a month for?
The Dynamic Code Hostage Play
The answer is a redirect server. That's the entire product.
When a QR code generator sells you a "dynamic" QR code, your code doesn't point to your URL. It points to their server. Their server redirects to your URL. This means they can change the destination after you print. It also means something else: if you stop paying, the redirect stops working. Your printed menus go dead. Your business cards link to nothing. Your flyers become litter.
This is not a technology product. It is a hostage negotiation with your printed materials as collateral. Cancel your subscription and the QR codes on the 500 flyers you printed redirect to a "subscribe to continue" page. The market-leading generator, qr-code-generator.com (now owned by Bitly), carries a 1.5 out of 5 rating on Trustpilot across 9,227 reviews as of April 2026. Users report codes deactivating after 14-day trials, impossible cancellation flows, and continued billing after cancellation that required changing credit card numbers.
A static QR code, one that encodes the actual URL directly, works forever. No server. No subscription. But it can't be held hostage, which is precisely why these companies push "dynamic" codes as the premium product. The hostage model is the feature, not the bug.
The $100 Million ARR on a Free Standard
Step back and the scale of the shakedown becomes clearer. Industry forecasts put the global QR market above $13 billion in 2025, growing at a 20%-plus annual rate toward $33 billion by 2030, with some longer-horizon estimates reaching $89 billion by 2034. More than half of the world's internet users now scan at least one QR code a month, and 102 million Americans are expected to scan one in 2026.
Here is the detail that explains everything else in this article: dynamic QR codes now hold more than 65% of market share. That is not a preference revealed by customers. That is a category engineered by vendors, because dynamic codes route through a redirect server and static codes do not. The redirect is where the subscription lives. Of every dollar flowing through this market, roughly two-thirds flow through a server somebody else controls and can turn off.
The revenue concentration at the top is where the arithmetic gets absurd:
| Company | Revenue | What They Sell | What It Costs to Build |
|---|---|---|---|
| Bitly/Egoditor | $100M+ ARR | URL redirect + analytics | ~$50/month in hosting |
| Uniqode (Beaconstac) | $22.9M revenue | QR generation + scan tracking | ~$20/month in hosting |
| Flowcode | $15.7M revenue | Branded QR codes | Canvas API + redirect server |
Uniqode raised a $25 million Series A in 2023. Flowcode was founded by the former CEO of AOL and president of Google Americas. These aren't scrappy startups discovering product-market fit. They are experienced operators who recognized that you can build a recurring revenue business on a free technology by inserting yourself as a required intermediary. Which is exactly what the redirect server does: it makes the QR code dependent on continuing to pay.
On CodeCanyon, you can buy a complete white-label QR code SaaS platform for $33. Dynamic codes, analytics, 20 payment gateways, multi-language support, subscription management. Not $33 a month. Thirty-three dollars, once. That is the actual market value of the software these companies have built. Everything above that, all $99,999,967 in annual recurring revenue, is margin on consumer confusion.
What 202 Real Reviews Have in Common
Abstract complaints are easy to wave away. So in April 2026 I pulled every one-star review I could find for the largest paid QR generators—202 reviews across Trustpilot and Sitejabber—and tagged them by the kind of pain the reviewer described. The patterns are not subtle.
| What reviewers reported | Count |
|---|---|
| Cited a specific dollar amount (median pain ~$120/yr) | 87 |
| Called it a scam outright ("theft", "crooks", "bait-and-switch") | 72 |
| Got caught by a trial trap (7, 10, or 14 days) | 55 |
| Had already printed materials before the code died | 48 |
| Could only reach an AI chatbot—no humans | 27 |
| Refund explicitly refused | 11 |
| Pricing shown monthly, charged as full year upfront | 7 |
The dollar amounts that come up over and over: $119.88, $132, £144, €178, €180. The prices aren't random—they cluster around the threshold where a frustrated small-business owner gives up fighting the charge and just pays. Sixteen separate reviewers cited roughly the same $120 annual figure.
The quotes read like testimony:
"Printed 500 business cards with it. After the trial period ended, the QR code on all of my printed materials stopped working."—Chrystina Tapia, Sitejabber
"Used this website to make a QR code for my wedding invite. Two weeks later they send an email saying my free trial expired."—Arabella, Trustpilot
"My daughter was raising money for a dog charity, only for the code to discontinue after 2 weeks and then billed £144."—Linda Foulkes, UK, Trustpilot
"After 21 scans they block it and you pay a lot of money to keep it activated."—Arjan Postma, Belgium, Trustpilot
Weddings. Dog rescues. Business cards. Seven of the reviews I tagged were wedding planners—people who got the code working the week they mailed out invitations, then watched it die before the ceremony. Twelve were event marketers whose conference QRs failed mid-event. The system is not hurting Fortune 500 marketing departments with options and lawyers. It is hurting the people for whom $120 is a real amount of money and a printed mistake is a real embarrassment.
Cody, ADA, and the GDPR Hostage Play
Support is the other half of the story, and it keeps showing up in the reviews as a proper noun: Cody, the AI chatbot that answers QR Code Generator's support queue, and ADA, a similar bot at another competitor. Twenty-seven of the 202 reviewers explicitly complained they could not reach a human. You hit the bot. The bot cannot cancel the subscription, cannot issue a refund, cannot explain the charge. That is the feature.
One review stood out as a new legal angle. Martin Hala, a Polish two-year paying customer, was refused cancellation after an accidental renewal, then told his account would not be deleted unless he paid the disputed invoice first:
"Holding account deletion hostage to force payment is, in my view, a deeply questionable practice, and potentially a violation of GDPR Article 17, which grants the unconditional right to erasure."—Martin Hala, Poland, Trustpilot
Article 17 of the GDPR gives EU residents an unconditional right to have their personal data erased. Conditioning that erasure on payment of a disputed invoice is not a gray area. It is the kind of complaint European regulators open files on. The dark patterns the FTC warned about in 2021 are, in Europe, starting to look like something sharper.
There is also an industry admission worth sitting with. Uniqode—one of the companies selling dynamic QR codes—published research in 2025 estimating that 52% of consumers have scanned a dead QR code. Roughly half of all QR scans now land on nothing, because the redirect behind them has been turned off. The industry built the dead-code problem, measured the dead-code problem, and then sold the solution: keep paying us, or join the half.
The Security Problem Nobody Mentions
A darker side of this industry gets buried under the subscription pricing debate. QR codes are inherently unreadable by humans. You cannot look at one and know where it leads. That makes them a perfect phishing vector, and the industry's push toward dynamic codes makes the problem worse.
Parking meters in New York, San Francisco, and multiple Texas cities have been hit with fake QR code stickers that redirect to convincing payment pages designed to steal credit card information. NYC's Department of Transportation issued a formal advisory in 2025. The BBB published a specific scam alert. The FBI warned about malicious QR codes a month before Coinbase spent $14 million on a Super Bowl ad that was literally just a bouncing QR code on a black screen, training 100 million viewers to scan codes without thinking about where they lead.
Malicious QR codes rose 25% year-over-year into 2025. QR phishing, known as "quishing," now accounts for 12.4% of all phishing payloads, up from 0.8% in 2021. Twenty-six million Americans have been directed to malicious sites via QR codes. C-suite executives are 42 times more likely to receive QR phishing attacks. Average breach cost from quishing: $4.45 million.
Meanwhile the QR code industry's response is to sell more dynamic codes that train people to trust redirect-based systems. Incentive structure is exactly backwards.
What "Free" Actually Costs
Pricing tiers across the industry follow a pattern designed to extract maximum revenue from minimum technical investment:
- Offer "free" static codes (loss leader, no revenue)
- Push "dynamic" codes as the real product (redirect server)
- Gate basic features behind trials that auto-convert to paid
- Set scan limits that trigger mid-campaign on your busiest day
- Make cancellation harder than signup (FTC is now watching)
- When customer leaves, deactivate all codes—hostage achieved
The FTC's Click-to-Cancel rule, which requires cancellation to be as easy as sign-up, targets exactly these patterns. That QR code generators needed federal regulation to stop trapping users tells you everything about how the business model works.
A friend of mine recently opened a small aquarium business. She showed me a QR code service quoting her $46 a month—the cheaper plans were so limited they were useless. Forty-six dollars a month. For a small business owner printing tank labels and care guides, that's $552 a year to generate a barcode. She wasn't paying for technology. She was paying because nobody had told her the technology is free.
Reddit is full of the same wreckage at larger scales. Restaurants that printed 500 menus with dynamic QR codes and found them redirecting to upgrade pages on a Saturday night. Small businesses that forgot to cancel free trials and got charged $40 a month for months. Event planners who discovered their QR codes had hidden scan limits—not prominently disclosed—that triggered during peak traffic.
These aren't edge cases. They are the business model.
When Dynamic Codes Actually Make Sense
Let me be clear: QR codes are genuinely useful technology. I use them across my own projects for e-signature document delivery, two-factor authentication setup, and app deep linking. They are everywhere for good reason, from boarding passes to TOTP enrollment to restaurant ordering. The technology is not the problem. The business model wrapped around it is.
To be fair: the logic behind dynamic QR codes is sound on paper. If you print 10,000 product labels and later change your landing page URL, a static code is dead. Dynamic codes let you update the destination without reprinting. For large enterprises running multi-channel campaigns with A/B testing and geographic routing, the analytics dashboard has real value. Marketing teams at BMW and NBCUniversal aren't confused about what they're buying.
But that's not who's paying $46 a month. The bulk of the revenue comes from small business owners printing menus, landscapers putting codes on truck magnets, and event planners making conference badges. For most of them, the URL is unlikely to change. A static code does everything they need, forever, for free. The dynamic upsell is a solution to a problem they don't have, packaged to create a problem they will have: dependency on a subscription to keep their printed materials working.
A Weekend Experiment That Proved the Point
After watching my friend get quoted $46 a month, I sat down and built a full-featured QR code generator in under a day. Not a toy: 20 QR code types, custom styling, batch CSV generation, PDF export, a built-in scanner, offline support via service worker. About 6,500 lines of vanilla JavaScript on a static page, with no server, no login, no tracking, and nothing to subscribe to.
Eighteen months later
That prototype kept growing. Below are the current numbers from the repo, pulled this morning:
Payment codes for thirty-plus countries, from SEPA and UPI to PromptPay and Pix. Security formats like TOTP, HOTP, SSH keys, PGP public keys, and eSIM activation. Regulated barcodes: GS1, EAN-13, Code 128, PDF417, Aztec, Data Matrix, AAMVA driver-license format, IATA boarding passes. Every one of them client-side. No database. No redirect servers. No analytics pipeline. A pure computation that happens on your phone or laptop, once, and then the code is yours. Forever. Nobody can turn it off because there is nothing to turn off.
The honest version of dynamic codes
I also built the thing the industry claims justifies its pricing: a dashboard product for the genuine case where someone actually needs editable destinations, scan analytics, team seats, and an API. If a large-campaign marketer wants a dashboard, fine. The interesting part was fixing the hostage problem first: a 90-day grace period after cancellation during which every code keeps resolving, no IP addresses or raw user agents ever logged, and a written commitment that redirects never go dark as a subscription lever. That is the bar the dynamic-QR industry could have met at any point in the last decade, and chose not to.
My point was never to compete. My point was that the technical barrier to entry for this $13 billion market is effectively zero, and the customer-friendly version of the business is an architecture choice, not a cost problem. What the incumbents have built isn't technology. It's a toll booth on a public road, maintained by refusing to build a grace period.
What This Pattern Tells You
QR code generators are a textbook case of a pattern that shows up across SaaS: insert yourself as an intermediary on a free standard, create artificial dependency through your infrastructure, charge rent on something the customer could own outright. Same playbook behind AI wrapper businesses that resell API calls with a 40x markup. Same playbook behind link shorteners that charge for a 301 redirect.
Here is how you spot it: the product requires their server to keep running, but the underlying technology doesn't require a server at all. If a QR code pointed directly to your URL instead of through a redirect, the generator company would have zero recurring revenue. The redirect isn't a feature. It's the architecture decision that enables the business model.
The most profitable SaaS companies aren't the ones solving the hardest problems. They're the ones convincing you that a free standard requires a subscription. Next time someone pitches you a SaaS product, ask one question: does this need a server, or does it need a server so they can charge me? The answer tells you whether you're looking at infrastructure or a toll booth.
The Bottom Line
The QR code generator industry charges $50 to $89 a month for an open standard that takes three lines of code to implement. The "dynamic" QR code product—the one behind the paywalls—is a redirect server that creates artificial dependency on a subscription. Cancel and your printed materials stop working. It's a $13 billion market built on consumer confusion, dark patterns, and the structural advantage of being the intermediary that nobody needs but everyone thinks they do. The technology is free, the patents expired in 2015, and open-source libraries implement the full spec in every mainstream language. The only thing standing between you and a working QR code is the knowledge that you don't need permission to make one.
"The most profitable SaaS companies aren't the ones solving the hardest problems. They're the ones convincing you that a free standard requires a subscription."
Sources
- Bitly makes first acquisition with QR code leader Egoditor — Bitly acquires Egoditor, maker of qr-code-generator.com, creating combined $75M ARR company with 325,000 paying customers
- QR Codes Market Size & Share Analysis - Growth Trends & Forecasts — QR code market valued at $13.04B in 2025, projected to $33.14B by 2031 at 16.82% CAGR
- QR Code Generator Reviews - Trustpilot — Market-leading QR code generator rated 1.5/5 across 9,213 reviews with complaints about deactivated codes and billing
- FTC to Ramp up Enforcement against Illegal Dark Patterns that Trick or Trap Consumers into Subscriptions — FTC enforcement against dark patterns including auto-converting trials and difficult cancellation flows
- QR Code Patent Information - Denso Wave — Denso Wave official statement on QR code patent rights - deliberately waived for standardized codes
- US 5,726,435 — Optically Readable Two-Dimensional Code and Method and Apparatus Using the Same — Core QR code patent. Filed by Masahiro Hara and Motoaki Watabe (Denso Corp) in March 1995, granted March 1998, expired 2015.
The Hard Truth
Want someone who'll tell you what vendors won't? No optimism theater, just honest assessment.
Book a Call