I need to tell you about something that's been bothering me since I built AIToolboxBD — not as a privacy researcher or security expert, but as someone who creates free browser tools and realized how much surveillance gets baked into things we assume are harmless.
You know those QR codes on restaurant menus, event flyers, business cards? There's a very good chance you've been unknowingly tracking everyone who scans them — logging their GPS coordinates, device fingerprint, operating system, browser type, and exact timestamp of every scan. And it's completely legal because you agreed to the terms when you created the code. The people scanning it never did.
Let me show you exactly how this works.
The Free QR Code Generator You Used Isn't Actually Free
When you search "free QR code generator," you get tools that promise instant results with no signup required. You paste your URL, click "Generate," and boom — you've got a QR code. Simple. Fast. Free.
Except nothing about that transaction was free.
Here's what actually happened:
-
You pasted your destination URL (let's say
https://yoursite.com/menu) -
The generator uploaded it to their server and created a redirect URL (like
https://qr-platform.io/abc123) - The QR code encodes THAT redirect, not your actual URL
- You download the code and print it on your flyers, menus, business cards
- Every person who scans it hits their tracking server first before being redirected to your site That tracking server logs everything:
- GPS coordinates (latitude/longitude accurate to meters)
- Device type (iPhone 15 Pro, Samsung Galaxy S24, etc.)
- Operating system (iOS 17.4, Android 14)
- Browser (Chrome, Safari, Firefox)
- Timestamp (exact date/time of scan)
- IP address (for additional geolocation) ### Who owns this data?
Not you. The platform does.
You created the code. You distributed it. You put it in front of people who trust you enough to scan it. But the data belongs to the platform that provided the "free" tool. You're not the customer — you're the supply chain.
This Is Called a "Dynamic QR Code" — And It's the Default
The QR code industry quietly split into two technical architectures years ago:
1. Static QR Codes (The Original Standard)
- Encode the final destination URL directly in the QR pattern
- No server involved
- No redirect
- No tracking
- Work forever (as long as QR readers exist) ### 2. Dynamic QR Codes (The Surveillance Model)
- Encode a redirect URL that points to the platform's tracking server
- Server logs analytics on every scan
- Platform can change the destination without reprinting the code
- Stop working if the company shuts down, rebrands, or discontinues free tier Guess which one every major "free" QR generator gives you by default?
Dynamic. Always dynamic. Because static codes don't generate the data they need to monetize.
Data flow of a dynamic QR scan · GPS · Device fingerprint · OS · Browser · Timestamp — all before the redirect completes
The Legal Loophole: You Consented. They Didn't.
Here's the part that makes this technically legal but ethically rotten:
When you created the QR code, you clicked "Generate" on a website with terms of service buried at the bottom. Those terms grant the platform analytics rights, data collection permissions, and the ability to log scanner behavior. Legally, you agreed.
When someone scans your code, they see a QR pattern. They don't see terms of service. They don't know a tracking server is involved. They didn't agree to anything. They trusted you — not the platform you used.
The platform argues: "The person who created the tracker consented on behalf of their users."
But that's not how consent works. You can't consent to surveillance on behalf of someone who doesn't know they're being surveilled.
Yet legally, the scanner can't sue the platform because they never interacted with the platform. They interacted with you. You're the one who put the tracker in front of them.
You became the intermediary in a surveillance transaction you didn't fully understand.
Static QR codes · Permanent by design · No server dependency · No scan tracking · No expiration risk
Real-World Example: The Restaurant Menu That Sold Customer Locations
Imagine you own a small restaurant. You use a free QR code generator to create a code that links to your PDF menu. You print it on table tents. Customers scan it to see the menu.
What you think is happening:
- Customer scans code → views menu → orders food What's actually happening:
- Customer scans code
- Their phone contacts
qr-platform.io/xyz789 - Platform logs: GPS (exact table location if scanned in-restaurant), device type, timestamp
- Platform redirects to your menu PDF
- Customer views menu, unaware their location was just logged Now multiply that by hundreds of scans per week. The platform now has:
- A heatmap of where your customers are physically located when they scan
- Device demographics (what phones your customers use)
- Behavioral timing data (lunch rush vs. dinner patterns) None of your customers consented to this. They thought they were scanning a menu. They were actually checking in to a third-party analytics database.
And here's the kicker: You can't delete that data. It's on the platform's server. You created the code, but you don't control the logs.
The Business Model: You're Not Selling Data. You're Generating It For Someone Else.
QR code platforms don't sell your data. They sell aggregated analytics derived from millions of people like you who unwittingly turned their audience into a data-generation workforce.
The platform doesn't care about your restaurant menu. They care about the geolocation patterns of people who scan QR codes in restaurants. Multiply that across thousands of restaurants, and they've got a location intelligence dataset they can sell to:
- Ad networks (retargeting people who've been to specific locations)
- Market research firms (foot traffic analysis)
- Data brokers (enriching consumer profiles with offline behavior) You didn't get paid. You got a free QR code. Your customers got surveilled.
Watch: How QR Code Tracking Actually Works
How to Check If Your QR Code Is Tracking People
If you've created QR codes in the past and want to know if they're tracking scanners:
- Scan your own QR code with a smartphone
- Before it redirects, look at the URL in your browser
- If the URL is NOT your final destination, it's a dynamic code with a tracking server Example:
- ❌ Dynamic (tracking):
https://qr.io/abc123→ redirects to your site - ✅ Static (no tracking):
https://yoursite.com/page(direct) If your code has a redirect, everyone who scans it is being logged.
The Solution: Static QR Codes That Don't Phone Home
The fix is simple: use a QR code generator that creates static codes processed entirely in your browser.
Here's how static codes work:
- You open the generator (runs 100% in your browser, no server upload)
- You paste your destination URL
- JavaScript encodes it directly into the QR pattern using the ISO/IEC 18004 standard
- The code is generated locally on your device and downloaded as a PNG
- Nothing leaves your machine When someone scans it:
- Their phone reads the pattern
- Extracts the URL
- Navigates directly to your site
- No redirect. No server. No log entry. ### What You Give Up You lose the analytics dashboard. You can't see how many times the code was scanned, from where, or on which device. That data doesn't exist anywhere.
If you need scan analytics, you can add UTM parameters to your destination URL and track it using your own website analytics — analytics you control, tracking your content rather than your users.
What Everyone Gains
- Scanner privacy: No GPS logging, no device fingerprinting, no profiling
- Permanent codes: Works forever (no expiration, no company shutdown risk)
- No surveillance database: Your audience isn't unknowingly enrolled in a tracking system
I Built a Privacy-First QR Generator Because I Couldn't Find One That Didn't Track
After realizing how pervasive dynamic tracking had become, I built AIToolboxBD's Free QR Code Generator specifically to solve this:
- ✅ 100% local processing (zero server upload)
- ✅ Static codes only (no tracking, no redirect)
- ✅ No account required
- ✅ Never expires (the data is in the pattern, not on a server) Even if AIToolboxBD shuts down tomorrow, the codes you generated will keep working forever. That's the point.
You're Not the Villain. The System Is.
You didn't do anything wrong. You used a free tool because it was convenient. You didn't read 47 pages of terms and conditions because nobody does.
But the result is the same: everyone who trusted you enough to scan your code had their location logged, their device fingerprinted, and their behavior profiled — without their knowledge and without their consent.
The fix isn't to stop using QR codes. The fix is to use QR codes that don't have surveillance baked into their architecture by design.
Static codes exist. Tools to generate them exist. There's no technical barrier. There's no cost barrier. There's only the awareness barrier — and you just crossed it.
One Last Thing
If you've printed QR codes in the past and just realized they've been tracking people:
What did you do with those codes?
Did you leave them up? Did you take them down? Did you replace them with static codes?
I'm genuinely curious how people react when they realize the "free" tool they used wasn't free for the people who trusted them enough to scan.
Drop a comment — I'd love to hear your thoughts.
If you found this useful, consider checking out AIToolboxBD — I'm building privacy-first browser tools that work entirely on your device. No uploads, no tracking, no surveillance.
Top comments (0)