GuideNacho G.10 min read

QR Code Privacy: How QR Nova Handles Your Data

QR code privacy explained: what QR Nova stores, what it doesn't, how we anonymize scan data, and how GDPR compliance works.

QR Code Privacy: How QR Nova Handles Your Data

This article was written by the QR Nova team. We build QR code software, which may inform our perspective.

Most QR code generators publish a privacy policy written by lawyers for lawyers. Somewhere in the document it says "we take your privacy seriously," and that's about as specific as it gets. You're left guessing what data they actually collect, who sees it, and what happens when you delete your account. This post is different. We're going to tell you exactly what QR Nova collects, what we don't collect, how we anonymize scan data, and what your rights are, in plain language, with no legal padding.

TL;DR

  • Static QR codes are generated in your browser. Zero data reaches our servers. No account needed.
  • Dynamic QR codes collect anonymized scan analytics: hashed IP (irreversible), country, city, device category, OS name, browser name, language, and referrer URL when present.
  • We never store raw IP addresses in scan records or security logs. Every IP is passed through SHA-256 hashing before it touches our database.
  • Website visitor tracking is denied by default — analytics and marketing tags require explicit consent. QR scan analytics are separate: they run at the server redirect level and are not controlled by the cookie banner.
  • We don't sell, share, or trade scan data. No ad networks. No data brokers.
  • You can delete your account and all associated data at any time, no support ticket needed.

What data QR nova collects (and what it doesn't)

Generate your first QR code — free

Get started

There are two sides to QR code data: what we know about you (the person creating codes), and what we know about scanners (the people scanning your codes). These are very different things, and most QR code platforms blur the line between them.

What we store about you (account holders)

When you create an account, we store your email address, your name (if you provide one via Google sign-in), and your workspace settings. That's it. We don't ask for your phone number, physical address, company name, or any demographic information. We don't build a profile of you beyond what's needed to run the service.

Your QR codes, their destinations, their design settings, and their scan history are stored and associated with your account. If you delete your account, all of this goes with it.

What we store about scanners (people who scan your codes)

This is where it gets important, because this is where most QR code generators are vague. Here's what happens when someone scans one of your dynamic QR codes:

Data point What we store What we don't store
IP address SHA-256 hash (irreversible) The raw IP address, ever
Location Country and city (derived from IP before hashing) Street address, GPS coordinates, or precise location
Device Device category (mobile, desktop, tablet) Device model, serial number, or unique identifiers
Operating system OS name (e.g., iOS, Android, Windows) OS version or kernel details
Browser Browser name (e.g., Chrome, Safari) and language preference Full user agent string, browser fingerprint, or cookies
Timestamp When the scan occurred
UTM parameters Campaign tags if present in the URL
Referrer URL Referring URL when present Full browsing history
Identity Nothing Name, email, phone, account info, or any personal identifier

The purpose of scan analytics is to tell you how many people scanned your code, roughly where from, and on what kind of device. It's aggregate insight, not individual tracking. We can't tell you who scanned your code. We can't reverse an IP hash to find out. That's by design.

Static QR codes: zero data by design

If you generate a static QR code on QR Nova, the situation is even simpler: we collect nothing. Static codes are generated entirely in your browser. The destination URL is encoded directly into the QR pattern. No redirect passes through our servers. No scan is recorded. No analytics exist. We literally don't know the code was created.

This matters for use cases where privacy is non-negotiable: medical information, internal corporate links, personal contact details, or anything where even anonymized tracking is unwanted. A static QR code from QR Nova is as private as writing a URL on a piece of paper.

How we anonymize scan data

The phrase "we anonymize your data" has become meaningless through overuse. Every company says it. Few explain what they mean. Here's exactly what we do.

When a scan event arrives, the scanner's IP address is passed through SHA-256, a cryptographic hash function. This converts the IP into a fixed-length string of characters. The critical property of SHA-256 is that it's a one-way function: you can go from IP to hash, but you cannot go from hash back to IP. There is no key, no decryption, no way to reverse it.

We use the hash for two purposes: deduplication (so one person scanning the same code five times in a row counts as one scan, not five) and aggregate analytics (scan counts by region). After hashing, the raw IP is discarded. It is never written to our database. The same hashing applies to security audit records (login events, API key operations)—those logs also store only the hashed IP, never the original.

This means that even if our database were somehow compromised, an attacker would find hashed strings, not IP addresses. And even we, as the platform operator, cannot identify individual scanners from our own data.

Account security

Privacy and security are different things, but they depend on each other. Data that's private but poorly secured isn't really private. Here's how we protect access to your account.

Passwordless authentication

Our primary login method is passwordless magic links. When you sign in, we send a one-time link to your email. That link uses a cryptographically random token with high entropy, and the token is hashed before being stored, so even our own database never contains a usable login token. Each link expires in 15 minutes and can only be used once. After use, it's deleted.

We also support Google OAuth for users who prefer it. Both methods avoid the biggest authentication vulnerability: reused passwords.

Bot protection

Our sign-in page includes challenge-based bot protection to prevent automated credential stuffing and brute-force attacks. We also maintain a blocklist of over 3,000 disposable email domains to prevent throwaway account abuse.

API key security

If you use the QR Nova API, your API keys are hashed before storage using HMAC with a server-side secret. We cannot read your API key after it's created, you see it once, and then it exists only as an irreversible hash on our end. If your key is compromised, you revoke it and generate a new one.

Rate limiting

Every endpoint, public pages, authentication, and API calls, is rate-limited. Free-tier users get lower burst limits; paid plans scale up. This prevents abuse, brute-force attacks, and denial-of-service attempts. Rate limits are enforced at the edge before requests reach our application.

GDPR compliance — not a checkbox, a system

GDPR compliance isn't a certificate you hang on the wall. It's a set of behaviors that either happen in your code or don't. Here's how ours work.

Denied by default

When you first visit QR Nova, all non-essential tracking is denied. Analytics cookies, marketing cookies, and advertising tags are blocked. Nothing fires until you explicitly make a choice. This isn't a technicality, our consent system integrates with Google's Consent Mode v2, which means Google Analytics and Google Ads tags literally cannot activate until consent is granted.

This consent system applies to website visitor tracking. QR scan analytics work differently: when someone scans a dynamic QR code, the redirect passes through our servers before the scanner ever loads a page in their browser. That server-side event is what records the scan—it runs independently of any cookie banner. Scanners are not interacting with our marketing website; they are using a redirect service. The privacy protection there comes from data minimization and IP hashing, not from consent gates.

Genuine choice

Our cookie consent banner presents "Accept" and "Decline" with the same visual weight. No dark patterns. No color tricks to make "Accept" more prominent. No "legitimate interest" toggles buried in a sub-menu. You can also customize which categories (analytics, marketing) you accept or decline individually.

Every consent decision, accept, decline, or custom, is logged with a timestamp, an anonymous identifier (not your account, not your IP), and the specific choices made. This log exists so that if a regulator ever asks "can you prove this user consented to analytics tracking?", we can answer with a timestamped record. The IP address in the consent log is hashed, same as scan data.

Right to deletion

You can delete your account from the dashboard settings. No support ticket. No "please email us and wait 30 business days." The deletion is processed automatically after a short grace period (in case you change your mind). Once that window closes, your account, QR codes, scan data, and consent records are permanently removed.

Third-Party services and what they see

No web application runs in complete isolation. We use a small number of third-party services, and here's exactly what each one sees:

Service Purpose What they receive Condition
Payment processor Subscription billing Email, payment method, billing history Only if you subscribe to a paid plan
Email service Transactional emails (magic links, welcome, receipts) Your email address Only when we need to send you an email
Analytics Understanding how visitors use our website Anonymized usage data Only if you grant analytics consent
Error monitoring Detecting and fixing bugs Error context (no personal data) Automatic, minimal data

That's the complete list. No advertising networks. No data enrichment services. No "partners" who buy access to scan analytics. We don't monetize your data because we monetize the product. Our business model is subscriptions, not surveillance.

Static vs. dynamic: a privacy comparison

The privacy profile of a QR code depends entirely on whether it's static or dynamic. This distinction is worth repeating because it's the single most important privacy decision you make when creating a QR code.

Feature Static QR code Dynamic QR code
Generated where Your browser (client-side) Our servers
Data sent to QR Nova None Destination URL and design settings
Scan tracking None, impossible Anonymized analytics (hashed IP, country, city, device, OS, browser name, language, referrer)
Editable after printing No Yes, change destination without reprinting
Account required No Yes
Best for privacy Yes, zero data footprint Good, anonymized, but data exists

If your use case doesn't need editability or scan analytics, a static QR code gives you the best possible privacy: literally zero data collection. For cases where you need to track performance or update destinations, dynamic codes give you analytics with meaningful privacy protections built in.

For a deeper dive into the functional differences, see our static vs. dynamic QR codes guide.

What we'd tell you even if it were uncomfortable

Transparency cuts both ways. Here are things we think you should know, even though they're not marketing-friendly:

  • Dynamic QR codes do involve a redirect through our servers. That's how scan analytics work. The redirect happens server-side, before any page loads in the scanner's browser, so it is not subject to cookie consent. Privacy protection for scanners relies on data minimization (we only collect what's listed in the table above) and irreversible IP hashing, not on opt-in consent. If the idea of any data collection bothers you, use a static code.
  • Country and city-level location data is derived from IP addresses before hashing. This means we extract geographic information from your scanner's IP, then discard the IP. The location data itself is approximate, city-level at best, but it does exist in your analytics dashboard.
  • We don't hold any security certifications (yet). We haven't pursued ISO 27001 or SOC 2. What we have is a set of concrete security practices documented on this page. We'd rather show you what we actually do than wave a certificate that doesn't tell you anything specific.
  • If we're ever compelled by law enforcement to produce data, we can only produce what we have. For scan events, that's hashed IPs and approximate locations. For accounts, that's email addresses and QR code configurations. We can't produce raw IPs because we don't have them.

The bottom line

Privacy in the QR code industry is a low bar. Most generators either don't address it or address it with vague legal language that protects the company, not the user. We built QR Nova with a different assumption: the less data we store, the less can go wrong, for you and for us.

Static codes collect nothing. Dynamic codes collect anonymized analytics (hashed IP, country, city, device, OS, browser name, language, referrer). IPs are hashed before storage—for scan records and security logs alike. Website visitor tracking is consent-gated. Deletion is self-service. Third-party data sharing doesn't exist.

If you have questions about any of this, our Privacy Policy, Terms of Service, and Cookie Policy contain the legally binding versions. This post is the human-readable one.

Frequently asked questions

Does QR Nova track who scans my QR code?

It depends on the type of code. Dynamic QR codes collect anonymized scan analytics: a one-way hash of the scanner's IP address, approximate location (country and city), device type, and browser language. We cannot identify individual scanners, the IP hash is irreversible. Static QR codes collect nothing at all. They are generated entirely in your browser and never contact our servers.

Can QR Nova see the IP addresses of people who scan my codes?

No. Before any scan record is stored, the scanner's IP address is passed through a SHA-256 hash, a one-way cryptographic function. The result is a fixed-length string that cannot be reversed to reveal the original IP. We never store raw IP addresses—not in scan records, not in security logs.

Is QR Nova GDPR compliant?

Yes. All tracking is denied by default until the visitor makes a consent decision. The consent banner gives Accept and Decline equal visual weight, no dark patterns. Every consent decision is logged with a timestamp and anonymous identifier for audit purposes. Users can request account and data deletion at any time.

What happens to my data if I delete my account?

When you request account deletion, there is a short grace period in case you change your mind. After that window closes, your account, QR codes, scan history, and all associated data are permanently deleted. This process is automated, no manual request or support ticket required.

Does QR Nova sell scan data to third parties?

No. We do not sell, share, trade, or otherwise distribute scan data to any third party. Scan analytics exist solely for your own dashboard. We have no advertising network partnerships and no data broker relationships.

Can I use QR Nova without creating an account?

Yes. Static QR codes, including URL, WiFi, vCard, email, phone, and SMS codes, can be generated without an account. These codes are created entirely in your browser. No data is sent to our servers, no tracking is attached, and no account is required.

Generate your first QR code — free

Get started