Camera decoding is free. Verdicts are metered.
Browser-side QR decoding runs on your device and never hits a server, that part stays free. Server-side classification (reputation, chain trace, mutability, sub-payload analysis) is metered. 3 anonymous scans per IP every 24 hours, then a paid tier when you need more.
Features marked Coming are on the near-term roadmap (see /coverage/ for full status). Founding-Member rates lock today’s price for the lifetime of your subscription, including features that ship next. Buying Founding today is a forward-rate lock, not a today-rate snapshot.
Need more than Enterprise?
Enterprise Scale, from $1,500 base + $7/seat. Custom scan + seat limits, negotiated MSA, BAA, custom SLA, US / EU / FedRAMP residency, private VPC or on-prem deployment, per-tenant indicator feeds, 24×7 incident response.
Pricing FAQ
What counts as a scan?
One scan = one decoded payload submitted to the server-side /api/scan endpoint. Browser-side decoding (the camera read or image upload that turns a QR into text) is not metered, that runs on your device. We only meter the verdict pipeline (chain walk, reputation queries, mutability classification, sub-payload analysis). Identical payloads scanned within the cache TTL count once.
How does the 3-scans-per-24h free cap work?
Free anonymous use is rate-limited by a hash of your IP (plus a server-held salt, we don't store IPs in cleartext). 3 successful classifications per 24-hour rolling window. The cap resets independently per IP. No signed-up free tier on top of this, anonymous use is the free tier. If you need more than 3/day, Personal at $4.99/mo lifts the cap and adds history.
What's a mutation alert?
You hand us a QR's decoded payload; we re-walk the redirect chain on a periodic cadence and email you if the terminal destination, redirect targets, or set of indirection-service operators changes. Catches the most common quishing pattern: print a clean QR, swap the destination to phishing months later, harvest scans from the printed asset. Personal includes 1 alert; Starter 5; Pro 25; Business and Enterprise unmetered.
What happens if I hit my cap?
The API returns a 429 with a retry_after header. We never silently downgrade verdict quality or stop classifying, you simply can't submit more scans until the window resets or you upgrade.
Do you offer annual billing?
Yes, at all paid tiers (Personal through Enterprise). Annual is two months free relative to monthly, same monthly cap, prepaid yearly. Enterprise Scale contracts are annual by default with custom terms.
Can I switch tiers mid-cycle?
Yes. Upgrades take effect immediately and we pro-rate the new tier. Downgrades take effect at the end of the current billing cycle.
Do you offer BAA, DPA, or HIPAA-aligned coverage?
BAA is available on Enterprise. DPA is included on every paid tier. For HIPAA-aligned workloads (Smart Health Card scanning, healthcare deployment), Enterprise + BAA is the supported configuration. Enterprise Scale can negotiate residency (US, EU, or FedRAMP-class) and on-prem deployment.
Why is server-side classification metered and camera decoding isn't?
Camera decoding is pure local compute on your device, there's nothing for us to meter and no marginal cost to us. Server-side classification consumes our infrastructure (reputation-service API quotas, redirect-chain walking bandwidth, CPU). The meter aligns price with the cost driver.
What if I'm a security researcher / non-profit / educator?
Email hello@abundera.ai with your use case. We grant Pro-tier free for academic security research, journalist investigations, and consumer-protection non-profits.