QRcito

· 6 min

Are QR Code Generators Tracking You? How to Check in 30 Seconds

What data QR code generators can collect, how to verify if yours leaves your browser, and how to pick one that's actually private and tracker-free.

Are QR Code Generators Tracking You? How to Check in 30 Seconds

Creating a QR code looks harmless: you fill in a form, you get an image. What you don't see is what happens to the data you typed in — whether it stays in your browser or travels to the provider's server.

For WiFi, vCard, payments and any personal data, that difference matters.

Quick answer

  • Online QR generators can track two distinct things: the data you enter (password, contact, URL) and who scans the QR afterwards.
  • Tracking of entered data depends on whether generation is server-side (data travels to a server) or client-side (everything happens in your browser).
  • Tracking of scans is only possible with dynamic QRs: the QR points to a provider URL that logs every visit.
  • You can verify it in 30 seconds with your browser's DevTools (the Network tab) while generating the QR.
  • If you're entering sensitive data (WiFi, vCard, payments), use client-side generators, no signup, ideally open source.

What kinds of tracking exist in a QR generator

Three distinct layers:

1. Tracking of the data you enter

When you fill in the form (SSID, password, contact, URL), that information can:

  • Stay in your browser and never be sent anywhere (client-side generation).
  • Travel to the provider's server to build the image and return it (server-side generation). It can then sit in logs, analytics or databases.

Most online generators are server-side by default, because it's the easiest implementation. That doesn't mean the provider is malicious, but it does mean your data passes through their infrastructure.

2. Tracking of the user generating the QR

Like any website, the generator may have:

  • Analytics (Google Analytics, Plausible, Matomo, etc.).
  • Third-party cookies and ad pixels (Meta, TikTok, Google Ads).
  • Browser fingerprinting to identify you without cookies.
  • Mandatory account that ties every QR you generate to your identity.

This is independent from the QR generation itself, but it's part of the package.

3. Tracking of who scans the QR

Only applies to dynamic QRs: the code points to a short provider URL (qr.xx/abc123) that redirects to the real destination. Each redirect is logged with:

  • Exact scan time.
  • User's IP (so approximate location).
  • Device type, OS, browser.
  • Referer if any.

In a dynamic QR, scan tracking isn't accidental — it's the product's reason for being.

How to detect if your generator tracks you (no coding required)

Three minutes with any modern browser:

  1. Open the generator you plan to use.
  2. Press F12 (or right-click → Inspect) and go to the Network tab.
  3. Hit the red record button / keep the tab open and clear it (the ⌀ button).
  4. Fill in the QR form with any data and hit "generate".
  5. Look at the requests that appear in the list.

What to look for:

  • If no new requests appear during generation: the QR is being built 100% in your browser. Client-side. ✅
  • If a POST request appears to a provider URL right when you hit generate, with your fields (SSID, password, etc.) in the payload: your data is travelling to the server. Server-side. ❌ for sensitive data
  • If the response is the QR image (PNG or SVG) generated by the backend: that confirms the server is building the code.

Also check whether the page loads Google Analytics, Meta Pixel or other tracker scripts (you'll see requests to google-analytics.com, googletagmanager.com, connect.facebook.net, etc.).

Obvious red flags

Without DevTools, some quick indicators:

  • They require signup or an account to generate a basic QR.
  • They have a "PRO" plan with detailed scan tracking: if that's their business model, tracking is in the product's DNA.
  • The downloaded QR carries their URL instead of yours (qr.xx/abc123 instead of yourdomain.com): it's a dynamic QR, automatically tracked.
  • The privacy policy mentions sharing data with third parties, marketing partners or advertising use.
  • They don't publish the source code and the tool is free with no clear business model: someone is paying for it, usually with your data.

How to verify a generator is client-side

Quick checklist:

  • Works offline: disconnect your WiFi, reload the page, and try to generate. If it works, it's client-side. If it can't load or won't let you generate, it depends on the server.
  • No network requests when generating (verifiable with DevTools as above).
  • No account required, no email.
  • The source code is inspectable (open source or unminified JavaScript).
  • The QR destination is exactly what you type, not a shortened provider URL.

If all five hold, the generator can't track you or whoever scans the code.

Why this matters most for WiFi, vCard and payments

For a public URL (your business website, a public PDF), the generator "seeing" your URL adds no risk: it was going to be public anyway.

But there are three QR types where tracking is critical:

  • WiFi: your network password. If it travels to the provider's server, it's outside your control.
  • vCard: personal phone, email, address. Personal data covered by GDPR.
  • Payments / Bitcoin: wallet, IBAN, banking data. The highest sensitivity tier.

For these cases, using a client-side generator isn't paranoia — it's basic hygiene.

Open source vs proprietary

A generator being open source doesn't on its own guarantee more privacy, but it does let you:

  • Audit the code and verify there's no hidden tracking.
  • Confirm the client-side logic without taking the provider's word for it.
  • Self-host it if you want full control.

A proprietary generator can be just as private, but it requires trusting what the provider claims. With no auditable code, there's no way to verify.

In practice: open source + no account + no network during generation = the highest reasonable privacy standard.

Bottom line

Almost every online QR generator processes your data on its server. That's fine for a public URL, but risky for WiFi, vCard or payments. To verify in 30 seconds, open DevTools, go to Network, and check whether your browser sends any requests when you generate the QR. If it doesn't, it's client-side and your content never leaves your device.

QRcito generates every QR entirely in your browser, with no account, no network during generation, and no third-party trackers. You can verify it by opening DevTools before hitting generate.

FAQ

What does "client-side" mean in a QR generator? That the JavaScript building the QR image runs inside your browser. The data you enter is never sent to any server. Generation is local, instant and offline-capable.

Is it legal for a QR generator to store my data? If their privacy policy declares it and you accept it, yes. The problem is that many policies are vague or don't cover QR-specific data. When in doubt, assume they store something and pick another tool if your data is sensitive.

Can a static QR track who scans it? No. A static QR doesn't pass through any server: the information goes directly from the code to the reader. Only dynamic QRs (with an intermediate redirect URL) can track scans.

How does GDPR apply to QR generators? If you enter personal data (name, email, phone in a vCard) into a server-side tool based in the EU or serving European users, the provider is responsible for processing under GDPR. To minimise risk and obligations, the simple route is using client-side generators.

Why can QRcito offer everything for free without tracking? Because generating QR codes is a lightweight process that doesn't require expensive infrastructure. Being client-side means no per-user server costs; with no tracking or accounts, there's no product to sell. The site runs at very low cost, with no need to monetise users.

Related articles

How to Create a WiFi QR Code Without Installing Any App Static vs Dynamic QR Codes: Which One You Actually Need Free Alternatives to QR Code Generator (No Paywall, No Signup)

← Back to blog