QR Code Tracking Without Compromising Privacy
QR code services love to pitch "scan analytics" as a key feature. See how many times your code was scanned, from what city, on what device, at what time. Sounds useful for marketing. But the way most services implement it creates real privacy problems -- for you and for the people scanning your codes.
How QR code tracking actually works
When a QR code service offers scan tracking, here's what's happening under the hood: the QR code doesn't link directly to your destination. Instead, it links to the service's redirect server. Every scan passes through their infrastructure, where they log:
- IP address -- which reveals approximate location
- User agent -- which reveals device type, operating system, and browser
- Timestamp -- exact time of scan
- Referrer data -- in some cases, additional context about the scan
This data doesn't just go to you. It sits on the QR code service's servers, under their privacy policy, subject to their data practices. You're essentially funneling every person who scans your code through a third party's tracking infrastructure.
Static QR codes: zero tracking by design
A static QR code encodes the destination URL directly. When someone scans it, their phone goes straight to your site. No middleman, no redirect, no logging by a third party.
This is how qrmake.dev works. We generate the QR code in your browser and that's it. We don't see what you encode, we don't host redirects, and we have zero visibility into who scans your codes. That's the point.
If you actually need analytics
Sometimes you genuinely need to know how a QR code campaign is performing. The good news: you can get that data without outsourcing your users' privacy to a QR code vendor. Use UTM parameters.
Instead of encoding a bare URL like:
https://yoursite.com/promo
Encode a URL with UTM tags:
https://yoursite.com/promo?utm_source=flyer&utm_medium=qr&utm_campaign=spring2026
When someone scans and visits that URL, your own analytics platform picks up the UTM parameters and attributes the visit correctly. You can use any analytics tool you already have:
- Google Analytics -- the default choice, though it comes with its own privacy considerations
- Plausible -- lightweight, privacy-focused, no cookies
- Umami -- open source, self-hostable, GDPR-friendly
- Fathom -- simple, privacy-first analytics
With this approach, you see how many visits came from each QR code (by varying the UTM parameters per code), which campaigns drive traffic, and all the standard web analytics you're used to. The difference: the data lives on your analytics platform, under your control, governed by your privacy policy.
Different UTMs for different codes
If you're printing QR codes in multiple locations and want to know which ones get scanned most, vary the utm_content parameter:
- Store entrance:
utm_content=entrance - Receipt:
utm_content=receipt - Table tent:
utm_content=table
Each gets its own QR code, and your analytics dashboard shows exactly which placement drives the most traffic. Same insight as a QR tracking service, but without the dependency or the privacy cost.
Don't outsource what you can own
There's a pattern in tech where simple capabilities get wrapped in services that create dependency and extract data. QR code tracking is a textbook example. The underlying need -- "how many people scanned this" -- is trivially solved with tools you already have. If you're evaluating options, our comparison of free QR code generators covers what to watch out for.
Generate a free static QR code with UTM parameters baked into the URL. Keep the analytics on your own platform. Keep your users' data out of someone else's database.