Businesses love QR codes because they bridge the physical and digital world, but that bridge also creates a temptation to collect more data than necessary about the people scanning them. This guide explains exactly what QR scan tracking can and cannot tell you, how the technology works under the hood, and how to set up tracking that gives you useful performance data without making your customers feel surveilled.
What QR Code Tracking Actually Measures
When people talk about 'tracking' a QR code, they almost always mean using a dynamic QR code, one that redirects through a server before sending the scanner to the final destination. Each time someone scans it, that redirect server logs an event: the timestamp, the approximate location derived from IP address, and the device or browser type.
This is fundamentally different from tracking an individual person the way an advertising cookie network might. A single scan event tells you that someone, somewhere, at some time, opened the code. It does not tell you their name, their exact address, or link that scan to other things they have done online unless you deliberately layer in additional tracking on the landing page itself.
The value for a business is aggregate: how many total scans did a poster get this week, what time of day are people scanning a menu code, which of three flyer locations drove the most traffic. These are legitimate, useful marketing questions that do not require identifying individuals.
Static vs Dynamic: Only One of These Can Be Tracked
This is the most important technical distinction to understand. A static QR code has the destination baked directly into the pattern, so when someone scans it, their phone goes straight there with no intermediary server involved at all. There is no possible way to count scans on a static code because nothing you control is in the path between the scan and the destination.
A dynamic QR code routes through a redirect service first, and it is that middle step that makes counting possible. This is precisely why our free tier, built for unlimited static codes generated entirely in your browser, cannot offer scan counts, and why real-time analytics live specifically in our Pro tier alongside editable dynamic codes.
If you genuinely need to know how many times a code was scanned, a dynamic code is the only technical path to that data, full stop. There is no way to retrofit tracking onto a static image after the fact.
The Privacy-Respecting Way to Set Up Tracking
If you decide you need scan data, be transparent about it rather than hiding it. A simple, honest approach is to make sure whatever page the code lands on clearly represents your business, so there is no ambiguity about who is collecting data and why, and to avoid stacking a QR redirect on top of additional third-party trackers like unrelated ad pixels that the visitor never agreed to.
Favor aggregate metrics over anything that could identify an individual. Total scan count, scans by day, and rough geographic region (city or metro level, not street address) answer almost every practical marketing question a small business or event organizer has, without needing device fingerprints or precise GPS coordinates.
Avoid combining QR scan data with other identifying information you might already have, such as a loyalty program email list, unless customers have clearly opted in to that specific use. The moment you cross-reference an anonymous scan with a known identity, you have moved from measuring a campaign to tracking a person, and that requires a much higher bar of consent and disclosure.
What Not to Do: Practices That Cross the Line
Avoid QR-based tracking setups that silently request location permissions, device identifiers, or contact list access as part of the landing page experience, since these go far beyond what a simple scan-to-website interaction needs and will rightly make visitors suspicious. If a code for a restaurant menu asks for camera or microphone permissions, that is a red flag, not a menu.
Do not disguise a QR code's true destination. A code that claims to lead to a coupon but actually first routes through several unrelated affiliate redirects or trackers before reaching the coupon erodes trust and, in many jurisdictions, can run afoul of consumer protection or wiretapping-style laws around deceptive data collection.
Steer clear of building scan data into individual customer profiles without clear notice. If your loyalty app scans a code and quietly appends that specific scan to a named customer record for marketing profiling, that goes beyond ordinary campaign measurement and into personal data processing that typically requires an explicit privacy disclosure and, in many regions, opt-in consent.
Practical Metrics That Actually Help Your Business
Total scans over time is the foundational metric: it tells you whether interest in a code is growing, flat, or fading, which is especially useful for comparing two versions of a poster or two placements of the same code around a store.
Scan timing patterns reveal a lot without any personal data at all. A restaurant might discover its table-top menu code gets scanned heavily at lunch but rarely at dinner, suggesting different menu strategies for each period, or an event organizer might see a spike right after a code is announced on stage versus a slow trickle from printed signage.
Rough geographic distribution, at the city or region level, helps multi-location businesses understand which physical placements are earning attention, for example comparing scan volume from a code on a delivery box against one taped to a storefront window, without needing to know anything about the individual scanning.
Communicating Tracking to Your Audience
A short, honest line near the code goes a long way toward building trust, something as simple as a note that scanning takes you to a specific webpage where you can review the site's own privacy policy. This is not legally required in every case, but it costs nothing and heads off the assumption that a QR code is a hidden surveillance tool.
If your landing page itself sets cookies or collects information beyond the scan event, for example an email signup form, disclose that on the page itself just as you would for any other web form, since the QR code is simply the doorway and the same rules that apply to your website apply once someone arrives.
For events, retail signage, and print materials aimed at the general public, keeping the tracking layer invisible in its mechanics but transparent in its purpose (measuring interest in a specific placement or campaign) is the sweet spot between getting useful data and respecting the people who trust you enough to point their camera at your code.
Choosing the Right Tool for Your Needs
If you do not need scan counts at all, for example a static Wi-Fi code at home, a vCard on a business card, or a one-time event flyer, a free static QR generator is not just sufficient, it is actually the more private and more permanent choice, since there is no server in the middle collecting anything.
If you are running an ongoing campaign, comparing multiple print placements, or need to update a destination after printing, a dynamic QR code with analytics is the appropriate tool, and that is what a Pro tier with editable codes and real-time scan and map data is designed for.
Match the tool to the actual question you are trying to answer. Many businesses default to tracking everything out of habit rather than need, when a simple, permanent static code would have served the purpose just as well and with far less privacy overhead.
Frequently asked questions
Can a static QR code be tracked at all?
No. A static QR code encodes the destination directly with no intermediary server, so there is nothing in the path of the scan that could log an event. Tracking is only possible with dynamic codes that route through a redirect service.
What information does QR scan tracking typically reveal about a person?
Legitimate scan analytics reveal aggregate, anonymous information: total scan counts, rough timing patterns, and general geographic region derived from IP address. It does not identify a specific individual unless you deliberately combine it with other personal data you collect separately.
Is it legal to track QR code scans?
Tracking aggregate, anonymous scan data is generally not restricted the way personal data collection is, but if you combine scans with identifying information such as a named customer account, you typically need to disclose that and, depending on your region, obtain consent, similar to any other data collection.
Do I need scan tracking for a simple one-time flyer?
Usually not. If you just need people to reach a webpage, menu, or contact card once, a free static QR code does the job with no ongoing dependency. Tracking is worth the added complexity mainly for repeated or multi-location campaigns where comparing performance matters.