What Data Do QR Codes Contain?
QR codes can encode a wide variety of content types, and some of them carry sensitive personal or business information: β’ URLs β website addresses, including private internal links or authentication tokens β’ WiFi credentials β network name (SSID) and password in plain text within the QR pattern β’ Contact cards (vCard format) β full name, multiple phone numbers, email addresses, physical address, organization β’ Email addresses with pre-composed subjects and message bodies β’ Phone numbers and pre-written SMS messages All of this data is embedded directly in the QR code pattern and can be read by anyone who scans it or decodes the image.
Risks of Online QR Generators
Many online QR code generators pose hidden privacy risks that most users never consider: β’ Your WiFi password is transmitted in plain text to their server during generation β potentially logged and accessible to their staff β’ Contact information including phone numbers, email addresses, and home addresses is sent to and logged by their servers β’ Some services inject tracking redirect URLs that route through their servers, allowing them to monitor every scan β who scanned it, when, from what location β’ QR codes generated by third-party dynamic URL services may expire or be modified later without your knowledge β’ Your usage patterns β what types of QR codes you generate β reveal potentially sensitive business and personal information β’ There is no guarantee that the data you submitted is deleted after the QR code is generated
How PrivaQR Protects Your Data
PrivaQR uses the qrcode.js JavaScript library to generate QR codes entirely in your browser using client-side computation: β’ Zero network requests during generation β all QR code creation happens locally via JavaScript, with no data sent to any server β’ WiFi passwords are encoded into the QR pattern locally and never leave your device β’ Contact details stay completely private on your device throughout the generation process β’ No tracking URLs are injected β your QR codes link directly to your intended destination without routing through any intermediary β’ Custom colors, error correction level, and output size are all processed client-side β’ Download as PNG or SVG without any server interaction
Why QR Codes Are Uniquely Easy to Abuse
Two properties make QR codes risky in a way ordinary links are not. First, they are unreadable to humans β you cannot tell a legitimate destination from a malicious one by looking, so a code physically pasted over a real one (on a parking meter, a restaurant table, a delivery notice) can route you somewhere hostile with no visible warning. This "quishing" (QR phishing) has been documented against banks and transit systems worldwide. Second, generation leaks the secret: because the encoded data β a WiFi password, a home address in a vCard β is created the instant you type it into a generator, a server-side generator sees the raw value before the image even exists. The defense is structural: generate locally so the secret never travels, and always preview a scanned code's decoded URL before acting on it.