Can someone track you when you scan a QR code?

Short answer: sometimes. Whether you can be tracked when you scan a QR code depends on two separate things, and the QR industry is not great at explaining either of them.

Let’s separate them.

Question 1: Does scanning the QR itself send any signal?

No. The QR code is a piece of paper or a pixel grid on a screen. Reading it is a purely local operation — your phone’s camera resolves the image, decodes the bits, and produces a string. Nothing leaves your device at this stage. There is no “QR scan event” being phoned home anywhere.

This is true regardless of what kind of QR it is. The mere act of reading the dots is private.

Question 2: What happens after you act on the decoded string?

This is where tracking becomes possible — and the answer depends entirely on what the QR pointed at.

Case A: a static QR pointing directly at a website

Say the QR encodes https://example.com/menu. Your phone opens that URL. The website at example.com sees a request from your IP address, with whatever cookies and headers your browser sends. That’s the same information any website gets when you click a link, type a URL, or follow a search result.

There is no QR-specific tracking. The site can log the visit, sure — but the QR didn’t add anything beyond what you’d reveal by typing the URL by hand.

Case B: a dynamic QR (the redirect kind)

Now say the QR encodes https://qr-provider.example/r/abc123. Your phone opens that URL. The provider’s redirect server logs the request — including a per-code identifier that distinguishes scans of this code from scans of any other code they manage — and then 302-redirects you to the real destination.

The redirect-server hop is the part most users don’t realize is happening. From the provider’s perspective, every scan is an event they can record:

• A timestamp.
• The IP address (often used to derive coarse location like country/region).
• The user-agent string (which leaks browser, OS, and rough device class).
• The referer (often empty for camera scans, sometimes set when the QR is on a webpage).
• An identifier unique to the code that was scanned.

Some providers also fingerprint the device, set tracking cookies on the redirect domain, or sell the resulting telemetry to data brokers. Most won’t tell you which.

The provider is then a third party in the loop, even if the destination site itself is privacy-friendly.

Case C: a static QR pointing at a tracking-heavy site

Even a static QR can lead to a tracking-heavy destination. If the URL is https://shop.example/?utm_source=poster_a&utm_campaign=spring_sale, the destination site can correlate your visit with the specific poster the QR was on. That’s not really “QR tracking” — it’s normal web analytics — but it’s worth knowing it can happen with any QR, static or not.

What “tracking” usually means in practice

When QR-as-a-service providers boast about analytics, they typically capture:

• Per-scan timestamps (so they can graph “scans per hour”).
• Approximate location derived from IP (city or region level).
• Device class and OS from the user-agent.
• Repeat-vs-new scans if they use a tracking cookie on the redirect.

What they don’t usually capture, even with dynamic QRs:

• Your name, email, phone number, or any identity. They have no way to get those from a scan unless you fill out a form on the destination page.
• Your contacts, photos, or anything stored on your phone. Scanning a QR doesn’t give a website any unusual access.
• Your activity before the scan. The provider only sees the scan event itself.

What AFQR records

Because the brand promise here is “actually free, with the privacy that implies,” it’s worth being specific about what we do and don’t record on dynamic QRs:

What gets recorded for a scan of an afqr.codes short link:

• Timestamp of the scan.
• Country (derived at request time from IP, then thrown away).
• User-agent string.
• Referer if present.
• The slug that was scanned (so the code’s owner can see their stats).

What we don’t record:

• The scanner’s IP address (we use it for country lookup at the moment of the request and discard it; it never gets stored).
• A persistent identifier or cookie on the scanner’s device.
• The scanner’s contact info, account info, or anything else identifying.

Scan events live in Cloudflare Analytics Engine and age out automatically after roughly 90 days. The dashboard you see when you own a code shows daily counts and country breakdowns; we deliberately don’t store enough to do anything beyond that.

For static QRs generated on AFQR, there is nothing to track at all — those codes don’t pass through us. The encoding happens in your browser, the QR points directly at your URL, and we never see a single scan.

What you can do as a scanner

If you’re scanning random QRs in the wild and you’d like to minimize what’s recorded:

• Watch the URL preview your phone shows after a scan. If you see a redirect domain you don’t recognize, that’s a dynamic QR, and the provider will log the scan.
• A VPN masks your IP from both the redirect provider and the destination. It doesn’t hide everything, but it hides your network location.
• Private browsing mode prevents persistent tracking cookies from sticking around between visits.
• Use a QR scanner that surfaces the destination URL before opening it (most modern phone cameras do this by default).

What you can do as a creator

If you’re generating QRs and you want to be respectful of the people who scan them:

• Default to static QRs unless you genuinely need to update the destination later.
• If you must use dynamic, pick a provider whose privacy practices you can read in plain English. Ours are here.
• Don’t add personally identifying parameters to the destination URL unless you’ve told scanners that’s happening.
• Skip the surveillance-grade analytics tooling unless you actually need it. Daily-counts-by-country is enough for most use cases, and it’s all we offer.

The TL;DR: scanning a QR isn’t inherently a tracking event, but it can become one depending on the kind of code and where it points. Being slightly intentional about both ends of the chain solves most of it.