QR Code Privacy: Generate and Scan Codes Safely

QR codes are everywhere these days — on restaurant menus, posters, business cards, and payment terminals. But they can contain far more than just a simple URL. Understanding exactly what is inside a QR code before you scan it, and generating your own codes safely, protects you from both tracking and phishing attacks.

What Can QR Codes Actually Contain?

A QR code is simply a machine-readable format capable of encoding any string of text. The most common uses include URLs (by far the most frequent), plain text, contact cards (vCard), Wi-Fi credentials, calendar events, and payment information. The privacy risks here are very real. Malicious QR codes can redirect you to convincing phishing sites that look identical to the legitimate ones. QR codes placed in physical spaces can embed tracking parameters that record exactly when and where you scanned them. Some even redirect through URL shorteners that quietly collect analytics about every single scan. On the generation side, most QR code websites create the codes server-side and log all the data you encode. So if you are generating a QR code that contains a password, a Wi-Fi key, or personal contact details, all of that data passes straight through their servers.

Using QR Codes Safely

  • 1Before scanning any unknown QR code, use a QR scanner that clearly shows you the full destination URL before actually opening it. Never let a QR code automatically launch your browser — always review where it points first, then decide whether to proceed.
  • 2Generate your QR codes locally whenever possible. PrivaQR creates QR codes entirely inside your browser — the data you encode (URLs, contact information, Wi-Fi passwords) never leaves your device at any point. This is absolutely critical whenever the content is sensitive.
  • 3For important use cases (business cards, Wi-Fi sharing, or payments), always use a static QR code that you can independently verify and reproduce. Steer clear of third-party dynamic QR services that route through their own servers, since those can be silently changed or deactivated at any time.

QR Code Security Tips

Be especially skeptical of QR codes in public spaces that look like they may have been stuck on top of an existing code — this is a common and effective physical phishing attack. For Wi-Fi QR codes (which encode your password in plain text directly within the QR pattern), only share them with people you genuinely trust, and consider rotating your password afterward if you are worried about wide distribution. When sharing your contact information via a QR code, consider encoding only non-sensitive fields (such as your name and website) rather than your full phone number and home address. Regularly check that any QR codes you have printed or shared still point reliably to the correct, intended destination.

Generate QR codes privately — no data sent to servers

Try PrivaQR
All Guides