QR Code Privacy: How QR Nova Handles Your Data
QR code privacy explained: what QR Nova stores, what it doesn't, how we anonymize scan data, and how GDPR compliance works.

This article was written by the QR Nova team. We build QR code software, which may inform our perspective.
Most QR code generators publish a privacy policy written by lawyers for lawyers. Somewhere in the document it says "we take your privacy seriously," and that's about as specific as it gets. You're left guessing what data they actually collect, who sees it, and what happens when you delete your account. This post is different. We're going to tell you exactly what QR Nova collects, what we don't collect, how we anonymize scan data, and what your rights are, in plain language, with no legal padding.
TL;DR
- Static QR codes are generated in your browser. Zero data reaches our servers. No account needed.
- Dynamic QR codes collect anonymized scan analytics: hashed IP (irreversible), country, city, device category, OS name, browser name, language, and referrer URL when present.
- We never store raw IP addresses in scan records or security logs. Every IP is passed through SHA-256 hashing before it touches our database.
- Website visitor tracking is denied by default — analytics and marketing tags require explicit consent. QR scan analytics are separate: they run at the server redirect level and are not controlled by the cookie banner.
- We don't sell, share, or trade scan data. No ad networks. No data brokers.
- You can delete your account and all associated data at any time, no support ticket needed.
What data QR nova collects (and what it doesn't)
Generate your first QR code — free
Get startedThere are two sides to QR code data: what we know about you (the person creating codes), and what we know about scanners (the people scanning your codes). These are very different things, and most QR code platforms blur the line between them.
What we store about you (account holders)
When you create an account, we store your email address, your name (if you provide one via Google sign-in), and your workspace settings. That's it. We don't ask for your phone number, physical address, company name, or any demographic information. We don't build a profile of you beyond what's needed to run the service.
Your QR codes, their destinations, their design settings, and their scan history are stored and associated with your account. If you delete your account, all of this goes with it.
What we store about scanners (people who scan your codes)
This is where it gets important, because this is where most QR code generators are vague. Here's what happens when someone scans one of your dynamic QR codes:
| Data point | What we store | What we don't store |
|---|---|---|
| IP address | SHA-256 hash (irreversible) | The raw IP address, ever |
| Location | Country and city (derived from IP before hashing) | Street address, GPS coordinates, or precise location |
| Device | Device category (mobile, desktop, tablet) | Device model, serial number, or unique identifiers |
| Operating system | OS name (e.g., iOS, Android, Windows) | OS version or kernel details |
| Browser | Browser name (e.g., Chrome, Safari) and language preference | Full user agent string, browser fingerprint, or cookies |
| Timestamp | When the scan occurred | — |
| UTM parameters | Campaign tags if present in the URL | — |
| Referrer URL | Referring URL when present | Full browsing history |
| Identity | Nothing | Name, email, phone, account info, or any personal identifier |
The purpose of scan analytics is to tell you how many people scanned your code, roughly where from, and on what kind of device. It's aggregate insight, not individual tracking. We can't tell you who scanned your code. We can't reverse an IP hash to find out. That's by design.
Static QR codes: zero data by design
If you generate a static QR code on QR Nova, the situation is even simpler: we collect nothing. Static codes are generated entirely in your browser. The destination URL is encoded directly into the QR pattern. No redirect passes through our servers. No scan is recorded. No analytics exist. We literally don't know the code was created.
This matters for use cases where privacy is non-negotiable: medical information, internal corporate links, personal contact details, or anything where even anonymized tracking is unwanted. A static QR code from QR Nova is as private as writing a URL on a piece of paper.
How we anonymize scan data
The phrase "we anonymize your data" has become meaningless through overuse. Every company says it. Few explain what they mean. Here's exactly what we do.
When a scan event arrives, the scanner's IP address is passed through SHA-256, a cryptographic hash function. This converts the IP into a fixed-length string of characters. The critical property of SHA-256 is that it's a one-way function: you can go from IP to hash, but you cannot go from hash back to IP. There is no key, no decryption, no way to reverse it.
We use the hash for two purposes: deduplication (so one person scanning the same code five times in a row counts as one scan, not five) and aggregate analytics (scan counts by region). After hashing, the raw IP is discarded. It is never written to our database. The same hashing applies to security audit records (login events, API key operations)—those logs also store only the hashed IP, never the original.
This means that even if our database were somehow compromised, an attacker would find hashed strings, not IP addresses. And even we, as the platform operator, cannot identify individual scanners from our own data.
Account security
Privacy and security are different things, but they depend on each other. Data that's private but poorly secured isn't really private. Here's how we protect access to your account.
Passwordless authentication
Our primary login method is passwordless magic links. When you sign in, we send a one-time link to your email. That link uses a cryptographically random token with high entropy, and the token is hashed before being stored, so even our own database never contains a usable login token. Each link expires in 15 minutes and can only be used once. After use, it's deleted.
We also support Google OAuth for users who prefer it. Both methods avoid the biggest authentication vulnerability: reused passwords.
Bot protection
Our sign-in page includes challenge-based bot protection to prevent automated credential stuffing and brute-force attacks. We also maintain a blocklist of over 3,000 disposable email domains to prevent throwaway account abuse.
API key security
If you use the QR Nova API, your API keys are hashed before storage using HMAC with a server-side secret. We cannot read your API key after it's created, you see it once, and then it exists only as an irreversible hash on our end. If your key is compromised, you revoke it and generate a new one.
Rate limiting
Every endpoint, public pages, authentication, and API calls, is rate-limited. Free-tier users get lower burst limits; paid plans scale up. This prevents abuse, brute-force attacks, and denial-of-service attempts. Rate limits are enforced at the edge before requests reach our application.
GDPR compliance — not a checkbox, a system
GDPR compliance isn't a certificate you hang on the wall. It's a set of behaviors that either happen in your code or don't. Here's how ours work.
Denied by default
When you first visit QR Nova, all non-essential tracking is denied. Analytics cookies, marketing cookies, and advertising tags are blocked. Nothing fires until you explicitly make a choice. This isn't a technicality, our consent system integrates with Google's Consent Mode v2, which means Google Analytics and Google Ads tags literally cannot activate until consent is granted.
This consent system applies to website visitor tracking. QR scan analytics work differently: when someone scans a dynamic QR code, the redirect passes through our servers before the scanner ever loads a page in their browser. That server-side event is what records the scan—it runs independently of any cookie banner. Scanners are not interacting with our marketing website; they are using a redirect service. The privacy protection there comes from data minimization and IP hashing, not from consent gates.
Genuine choice
Our cookie consent banner presents "Accept" and "Decline" with the same visual weight. No dark patterns. No color tricks to make "Accept" more prominent. No "legitimate interest" toggles buried in a sub-menu. You can also customize which categories (analytics, marketing) you accept or decline individually.
Auditable consent records
Every consent decision, accept, decline, or custom, is logged with a timestamp, an anonymous identifier (not your account, not your IP), and the specific choices made. This log exists so that if a regulator ever asks "can you prove this user consented to analytics tracking?", we can answer with a timestamped record. The IP address in the consent log is hashed, same as scan data.
Right to deletion
You can delete your account from the dashboard settings. No support ticket. No "please email us and wait 30 business days." The deletion is processed automatically after a short grace period (in case you change your mind). Once that window closes, your account, QR codes, scan data, and consent records are permanently removed.
Third-Party services and what they see
No web application runs in complete isolation. We use a small number of third-party services, and here's exactly what each one sees:
| Service | Purpose | What they receive | Condition |
|---|---|---|---|
| Payment processor | Subscription billing | Email, payment method, billing history | Only if you subscribe to a paid plan |
| Email service | Transactional emails (magic links, welcome, receipts) | Your email address | Only when we need to send you an email |
| Analytics | Understanding how visitors use our website | Anonymized usage data | Only if you grant analytics consent |
| Error monitoring | Detecting and fixing bugs | Error context (no personal data) | Automatic, minimal data |
That's the complete list. No advertising networks. No data enrichment services. No "partners" who buy access to scan analytics. We don't monetize your data because we monetize the product. Our business model is subscriptions, not surveillance.
Static vs. dynamic: a privacy comparison
The privacy profile of a QR code depends entirely on whether it's static or dynamic. This distinction is worth repeating because it's the single most important privacy decision you make when creating a QR code.
| Feature | Static QR code | Dynamic QR code |
|---|---|---|
| Generated where | Your browser (client-side) | Our servers |
| Data sent to QR Nova | None | Destination URL and design settings |
| Scan tracking | None, impossible | Anonymized analytics (hashed IP, country, city, device, OS, browser name, language, referrer) |
| Editable after printing | No | Yes, change destination without reprinting |
| Account required | No | Yes |
| Best for privacy | Yes, zero data footprint | Good, anonymized, but data exists |
If your use case doesn't need editability or scan analytics, a static QR code gives you the best possible privacy: literally zero data collection. For cases where you need to track performance or update destinations, dynamic codes give you analytics with meaningful privacy protections built in.
For a deeper dive into the functional differences, see our static vs. dynamic QR codes guide.
What we'd tell you even if it were uncomfortable
Transparency cuts both ways. Here are things we think you should know, even though they're not marketing-friendly:
- Dynamic QR codes do involve a redirect through our servers. That's how scan analytics work. The redirect happens server-side, before any page loads in the scanner's browser, so it is not subject to cookie consent. Privacy protection for scanners relies on data minimization (we only collect what's listed in the table above) and irreversible IP hashing, not on opt-in consent. If the idea of any data collection bothers you, use a static code.
- Country and city-level location data is derived from IP addresses before hashing. This means we extract geographic information from your scanner's IP, then discard the IP. The location data itself is approximate, city-level at best, but it does exist in your analytics dashboard.
- We don't hold any security certifications (yet). We haven't pursued ISO 27001 or SOC 2. What we have is a set of concrete security practices documented on this page. We'd rather show you what we actually do than wave a certificate that doesn't tell you anything specific.
- If we're ever compelled by law enforcement to produce data, we can only produce what we have. For scan events, that's hashed IPs and approximate locations. For accounts, that's email addresses and QR code configurations. We can't produce raw IPs because we don't have them.
The bottom line
Privacy in the QR code industry is a low bar. Most generators either don't address it or address it with vague legal language that protects the company, not the user. We built QR Nova with a different assumption: the less data we store, the less can go wrong, for you and for us.
Static codes collect nothing. Dynamic codes collect anonymized analytics (hashed IP, country, city, device, OS, browser name, language, referrer). IPs are hashed before storage—for scan records and security logs alike. Website visitor tracking is consent-gated. Deletion is self-service. Third-party data sharing doesn't exist.
If you have questions about any of this, our Privacy Policy, Terms of Service, and Cookie Policy contain the legally binding versions. This post is the human-readable one.
Frequently asked questions
Does QR Nova track who scans my QR code?
It depends on the type of code. Dynamic QR codes collect anonymized scan analytics: a one-way hash of the scanner's IP address, approximate location (country and city), device type, and browser language. We cannot identify individual scanners, the IP hash is irreversible. Static QR codes collect nothing at all. They are generated entirely in your browser and never contact our servers.
Can QR Nova see the IP addresses of people who scan my codes?
No. Before any scan record is stored, the scanner's IP address is passed through a SHA-256 hash, a one-way cryptographic function. The result is a fixed-length string that cannot be reversed to reveal the original IP. We never store raw IP addresses—not in scan records, not in security logs.
Is QR Nova GDPR compliant?
Yes. All tracking is denied by default until the visitor makes a consent decision. The consent banner gives Accept and Decline equal visual weight, no dark patterns. Every consent decision is logged with a timestamp and anonymous identifier for audit purposes. Users can request account and data deletion at any time.
What happens to my data if I delete my account?
When you request account deletion, there is a short grace period in case you change your mind. After that window closes, your account, QR codes, scan history, and all associated data are permanently deleted. This process is automated, no manual request or support ticket required.
Does QR Nova sell scan data to third parties?
No. We do not sell, share, trade, or otherwise distribute scan data to any third party. Scan analytics exist solely for your own dashboard. We have no advertising network partnerships and no data broker relationships.
Can I use QR Nova without creating an account?
Yes. Static QR codes, including URL, WiFi, vCard, email, phone, and SMS codes, can be generated without an account. These codes are created entirely in your browser. No data is sent to our servers, no tracking is attached, and no account is required.
Related articles
QR Code Security Best Practices for Platforms
QR code security best practices for platforms: URL validation, redirect auditing, scan anomaly monitoring, abuse prevention, and enterprise audit logs.
Can QR Codes Be Hacked? The Real Risks
Can QR codes be hacked? The code itself can't, but quishing attacks trick you after scanning. Learn the real threats and how to stay safe. Free guide.
Are QR Codes Safe to Scan? Honest Risks
Are qr codes safe? The code itself can't harm you, but where it sends you can. Learn the actual risks, the myths, and how to scan safely.
Generate your first QR code — free
Get started