Legal

Privacy Policy

Last updated: April 2026 · TwentyOneTools · United Kingdom

The short version: your data never leaves your device. We do not upload, store, or access any content you enter into the QR generator. Everything happens locally in your browser.

1. Who we are

TwentyOneTools is an online QR code generation service operated from the United Kingdom. Our primary service allows users to generate QR codes for various content types directly within their web browser. References to "we", "us", or "our" in this policy refer to TwentyOneTools.

For any privacy-related enquiries, contact us at: privacy@twentyonetools.com

2. What data we collect

We are committed to collecting as little data as possible. Here is exactly what we collect and why:

Account information — if you create an account, we store your name, email address, and encrypted password. If you sign in via Google, we receive your name and email from Google.
Usage data — we may collect anonymised, aggregated statistics such as which pages are visited and how many QR codes are generated. This contains no personally identifiable information.
Payment information — if you subscribe to a paid plan, payment is processed by Stripe. We do not store your card details. Stripe's privacy policy applies to payment data.
Technical data — your IP address, browser type, and device type may be logged briefly for security and fraud prevention purposes.

We do not collect your QR code content. All QR code generation is performed entirely within your browser using JavaScript. No URLs, passwords, contact details, or any other content you enter is ever transmitted to our servers.

3. How we use your data

We use the data we collect solely for the following purposes:

To provide and maintain your account
To process subscription payments and manage billing
To send transactional emails such as account confirmation and password reset
To improve our services through anonymised usage analytics
To detect and prevent fraud or abuse
To comply with legal obligations under UK and applicable law

We do not sell your personal data to any third party. We do not use your data for advertising purposes.

4. Legal basis for processing (UK GDPR)

Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following legal bases:

Contract — processing necessary to provide the service you have signed up for
Legitimate interests — anonymised analytics to improve our service, and security monitoring
Legal obligation — where we are required to retain data by law
Consent — for any optional communications such as product updates, where you have explicitly opted in

5. Cookies

We use a minimal number of cookies to operate the service. These include:

Essential cookies — required to keep you signed in to your account and maintain session security
Analytics cookies — anonymised, aggregate data to understand how the site is used. No personal data is stored in these cookies

We do not use advertising cookies or tracking cookies. You can control cookie preferences through your browser settings or via the cookie banner shown on your first visit.

6. Data sharing and third parties

We share data with the following third-party services only where necessary to operate TwentyOneTools:

Stripe — payment processing. Subject to Stripe's own privacy policy
Google — optional Google sign-in. Subject to Google's privacy policy
Google Fonts / CDN providers — fonts and libraries loaded from CDNs may log your IP address

We do not share personal data with any other third parties, advertisers, or data brokers.

7. Data retention

We retain your account data for as long as your account is active. If you delete your account, your personal data will be permanently deleted within 30 days, except where we are legally required to retain it (for example, billing records which may be retained for up to 7 years under UK tax law).

Anonymised analytics data may be retained indefinitely as it cannot be used to identify you.

8. Your rights under UK GDPR

As a UK resident, you have the following rights regarding your personal data:

Right of access — you can request a copy of the personal data we hold about you
Right to rectification — you can ask us to correct inaccurate data
Right to erasure — you can request that we delete your personal data
Right to restrict processing — you can ask us to limit how we use your data
Right to data portability — you can request your data in a portable format
Right to object — you can object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@twentyonetools.com. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.

9. Data security

We take reasonable technical and organisational measures to protect your personal data. Passwords are stored using industry-standard hashing. All data in transit is encrypted using HTTPS/TLS. Access to personal data is restricted to authorised personnel only.

10. Children's privacy

TwentyOneTools is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. For significant changes, we will notify registered users by email.

12. Contact

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us at:

privacy@twentyonetools.com