Dynamic QR Code Privacy Risks

Every scan is logged somewhere. Here is what that means under GDPR and Japan's APPI.

Last updated: 2026

Dynamic QR codes are convenient — you can change the destination after printing — but every single scan is routed through a redirect server, and that server is logging things. For a marketer it is "analytics". For your end user it is personal data. This article explains what is collected, who can see it, how GDPR and APPI apply, and how QRMint takes a privacy-first approach.

Dynamic QR (competitor)

Scan → vendor.com/r/abc → log IP, UA, location → 3rd party → destination

Static QR (qrmint.app)

Scan → destination directly (no tracker, no log)

Step-by-step Guide

Step 1: Understand the redirect chain

Static QR codes contain the URL directly. Dynamic QR codes contain a short URL on the provider's domain, which redirects via HTTP 302. The provider sees every scan along the way.

Step 2: Identify what is logged

Typical fields include: IP address (used to derive country/region/city), user-agent (OS, browser, device model), timestamp, referrer, and sometimes a tracking cookie or fingerprint.

Step 3: Know who can read it

The QR provider, any analytics integrations they use (Google Analytics, Mixpanel, etc.), and depending on the jurisdiction, third parties through legal requests. Some providers also share aggregated data.

Step 4: Apply the GDPR test

Under GDPR, IP-based location and device fingerprinting count as personal data. You need a lawful basis (usually consent or legitimate interest), a privacy notice, and a data processing agreement with your QR provider.

Step 5: Apply the Japanese APPI test

Japan's 改正個人情報保護法 also treats IP plus identifiable device data as personal information when combined. You must disclose collection and obtain consent for cross-border transfer.

Step 6: Choose a privacy-first design

QRMint's static QR codes generate entirely in the browser — no scan ever reaches our server, so there is nothing to log. For dynamic QR Pro users, we minimize logged fields, do not sell data, and offer a 90-day grace period after cancellation.

Try it now

Create QR code →

Tips & Best Practices

●If you do not need analytics, prefer static QR codes — there is literally no privacy risk because nothing is logged.
●When using dynamic QR for marketing, mention QR scanning in your privacy notice.
●Avoid QR providers that share or sell aggregated scan data.
●If your audience is in the EU, choose a provider with an EU data region or a clear DPA.

FAQ

Are static QR codes really private?

Yes. A static QR code is just an image — no server is contacted when it is scanned (the user is sent directly to the encoded URL).

What does QRMint log for dynamic QR scans?

Country (from IP, no street address), device type, OS, browser, and timestamp. We do not sell or share scan data with third parties.

Do I need consent banners for QR analytics?

Under GDPR, yes — if scan data plus other context can identify a user. Disclose it in your privacy notice and add it to your cookie/consent flow.

Can I delete scan data?

Yes. QRMint Pro users can delete a dynamic QR and its scan history at any time.

Create a Private Static QR Dynamic vs Static What is Quishing?How to Create a QR Code for Free How to Create a QR Code for Business Cards Dynamic vs Static QR Codes