← All articles

How to Track QR Code Scans (Without Crossing the Privacy Line)

5 July 2026 · 7 min read

You've put a QR code on the poster, the packaging, the till receipt. Weeks go by. And you're left wondering: is anyone actually scanning that thing?

Here's the answer nobody selling QR codes wants to lead with: if you made a plain, static QR code with a free generator, you have no way of knowing. Not because you're missing some setting — because the code itself doesn't report anything back. It's a dead end by design.

To get real numbers, you need a different kind of code, and a bit of care about how the tracking is done. Let's get into both.

Why a static QR code tells you nothing

A static QR code is just a picture. Whatever you encoded — a URL, a WiFi password, contact details — is baked directly into that pattern of squares. Point a phone at it, and the phone reads the pattern and acts on it immediately. Nobody's server is involved. Nothing gets logged. There's no "scan event" for anyone to see.

It's the same as printing your phone number on a leaflet: functional, but you'll never know if anyone actually dialled it. You might see a bump in website visits after a print run goes out, but you can't tell whether that came from the QR code, someone typing the URL, or a coincidence.

Fine if all you want is a working link. Not fine if you're trying to work out whether the poster by the till outperforms the one in the window, or whether last month's flyer drop did anything at all.

The fix: a dynamic QR code

A dynamic QR code looks identical to a static one, but it works differently under the hood. Instead of encoding your final destination directly, it encodes a short redirect link controlled by a tracking service. Scan it, and your phone briefly opens that service's link, which logs the scan and instantly bounces you on to the real destination. To the person scanning, it's seamless — a fraction of a second, no visible difference.

That's your measurement point. Every redirect is a scan the service can count.

There's a second, genuinely useful side-effect of this setup: because the code points to a redirect rather than your final URL, you can change where it sends people — after it's already printed. Run a launch campaign this month, point the same code at a seasonal offer next month, all without touching the physical poster. A static code can never do that; once it's printed, it's fixed forever. If you want the fuller comparison, we've laid it out in dynamic vs static QR codes.

What you can actually measure

Set up a dynamic code through a decent service and here's the realistic picture you'll get:

  • Total scans. The headline number — how many times the code's been used.
  • Scans over time. A trend line showing whether interest is building, flat, or already fading. Useful for spotting whether a campaign actually landed, or whether scans dropped off a cliff after week one.
  • Rough device type. Mobile versus desktop, iOS versus Android — a broad-strokes picture, not much more.
  • Approximate location. City or region level. "Most scans came from Manchester" is a useful signal for a regional push. Anything more precise than that isn't something a responsible service should be offering you.

That's genuinely it, and it's genuinely enough. What you should not expect, and what a privacy-conscious provider will simply refuse to build, is anything resembling an individual profile — tracking a specific person's movements, linking scans to an identity, building a history of "this person scanned this code, then that one, then bought this." That's not analytics. That's surveillance, and in Europe it's also against the law.

Turning scan numbers into decisions

Raw counts are only useful once you compare them against something.

Placement. Two codes, two locations — the one with more scans relative to footfall tells you where to invest. If the code on the back of the pack outperforms the one on the side, that's your answer for the next print run.

Timing. A spike after a social post or an email send tells you the campaign got noticed. A code that goes quiet after day one suggests curiosity without staying power — worth knowing before you commit budget to more of the same.

Campaign fit. Ran a seasonal offer? Compare scans during the campaign window against the weeks either side. If nothing moved, the message didn't land — cheaper to learn that from scan data than from a quiet till.

None of this tells you why someone scanned, or what they did next on your site. For that, you need to join the dots to your own analytics.

Add UTM parameters for the full picture

Most dynamic QR services let you tag the destination URL with UTM parameters — something like yoursite.com/?utm_source=qr&utm_medium=poster&utm_campaign=summer_sale. Do that, and Google Analytics (or whatever you use) will tag every visitor who came through that specific code, showing you not just that they scanned, but what they browsed, whether they bought, how long they stayed.

The QR service answers "how many people scanned." Your website analytics answers "what did they do once they got there." Together, they answer the question you actually care about: did this thing work?

The GDPR line: why hosting and IP logging matter

Here's the bit most QR generators would rather not dwell on. A scan generates an IP address, and under GDPR (and UK data protection law) an IP address counts as personal data — it can identify, or help identify, a person. So the moment you start tracking scans, you're processing personal data, and that comes with obligations: a lawful basis for collecting it, transparency about the fact you're tracking, and data kept to the minimum you actually need.

Plenty of QR tools — including several big, well-known ones — sidestep this by logging raw IP addresses indefinitely, hosting outside the EU, and offering no Data Processing Agreement at all. That's a liability sitting quietly under your marketing, not a technicality.

A privacy-safe alternative looks different: data hosted within the EU, so it's governed by EU law rather than exported elsewhere; no raw IP addresses logged, ever — only aggregated counts and rough location; and a signed DPA included as standard, spelling out exactly what's collected and how it's protected. That's the model qrius.io is built on — hosted in Stockholm, no raw IP logging, DPA included — precisely so EU and UK businesses can track scans without quietly taking on GDPR risk.

Setting it up

  1. Pick a dynamic QR service — one that's upfront about where data lives and whether it logs raw IPs.
  2. Create the code, pointing it at your destination URL. Add UTM parameters now if you want the traffic tagged in your own analytics later.
  3. Print or publish it. Because it's dynamic, you can repoint it later without reprinting anything.
  4. Check the dashboard after the first week or two — scans usually show up close to real time.
  5. Compare placements and campaigns rather than staring at any single number in isolation.
  6. Review monthly, and put more of your effort behind whatever's actually getting scanned.

FAQ

Can you tell how many people scanned a QR code? Only with a dynamic QR code. A static one — the kind most free generators produce — reports nothing back, so there's no way to count scans on it at all.

Can a QR code track who specifically scanned it? No, and a legitimate service won't try. You get counts, rough timing, and broad location — not names, not individual profiles, not a history tied to a person.

Do I need a Data Processing Agreement for QR tracking? If you're in the EU or UK, or you have EU/UK customers, yes. Scan data includes IP addresses, which count as personal data, so you need a lawful basis and a DPA with whatever service is processing that data on your behalf.

Can I use UTM parameters with a QR code? Yes — add them to the destination URL behind your dynamic code, and tools like Google Analytics will tag that traffic accordingly, letting you see conversions, not just scans.

What if I'm not based in the EU? If any of your customers are, GDPR still applies to their data. It's simpler to just use a privacy-safe service from the start than to run separate tracking setups by geography.


A QR code doesn't have to be a silent square you're hoping is working. Swap the static code for a dynamic one, point it through a service that counts scans without hoovering up personal data, and you'll actually know what's happening — without creating a compliance problem for yourself in the process.

Try qrius.io free to set up a dynamic QR code with EU hosting, no raw IP logging and a DPA built in. And if you're still deciding whether you need dynamic at all, our guide to dynamic vs static QR codes covers the full trade-offs.

Create a GDPR-safe QR menu — free

Dynamic QR codes, EU-hosted in Stockholm, no raw IP logging, DPA included.

Start free →