You put a QR code on a flyer, someone scans it, and now you're wondering: what just happened? Who was that? Where are they? What are they doing right now?
Let's slow down, because the answers to those questions range from "you can absolutely know that" to "you really can't" to "you could, but you probably shouldn't." And the line between useful tracking and uncomfortable surveillance is thinner than most people realize.
What a scan tells you
When someone scans a QR code and their phone opens the link, a small amount of information comes along for the ride. Not because anyone is being sneaky, but because that's just how web requests work. Every time any device opens any link, the server on the other end learns a few things:
- When the scan happened (date, time, down to the second)
- Roughly where the person is (country and usually city, based on their IP address)
- What device they used (iPhone vs. Android, and sometimes the browser)
- Where the code lives, if you're using different codes for different locations or campaigns
That's the honest list. It's the kind of information you'd get from any link click on any website. Nothing exotic, nothing hidden.
What you don't get is a name, an email address, a phone number, or any way to identify the specific person who scanned. You see a data point, not a person. "Someone in Chicago scanned your menu code at 7:14 PM on an iPhone" is as specific as it gets.
The gap between "technically possible" and "useful"
Here's where it gets interesting. Some QR platforms advertise tracking features that sound like they're giving you a surveillance dashboard. Heatmaps, user journeys, demographic breakdowns. And some of that is real, in the sense that you can infer broad patterns from aggregate data. But a lot of it is dressed-up guesswork.
City-level location, for instance, comes from IP address lookups. It's usually right for the city. Sometimes it's a neighboring city. Occasionally it's just wrong. It's useful for answering "are people in Denver scanning my codes?" but not for pinpointing someone's street corner.
Device data is similar. You can see the split between iPhone and Android users, which is genuinely helpful if you're sending people to an app download page and need to know which store link to prioritize. But "device type" doesn't mean you know what the person looks like or how old they are.
The honest version of scan analytics is pattern recognition. You're looking for trends across dozens or hundreds of scans, not building profiles on individuals. And honestly, that's where the useful insights live anyway.
What's worth paying attention to
If you have QR codes in multiple locations, the most valuable thing analytics can tell you is which locations are pulling their weight. You printed the same flyer for three coffee shops and one of them is getting ten times the scans? That tells you something. Maybe the code is placed better, maybe the foot traffic is different, maybe one location stuck the flyer behind the espresso machine where nobody can see it.
Time-of-day patterns are quietly useful too. If your restaurant menu code gets most of its scans between 11:30 AM and 1 PM, you know the lunch crowd is engaging. If scans drop to zero after 3 PM, maybe your dinner crowd doesn't even know the code exists. That's a placement problem, not a technology problem.
DSQR's scan analytics show you this kind of thing without pretending to show you more than what's there. Country, device, scans over time. Enough to make decisions, not enough to be weird about it.
Where the creepy line is
The uncomfortable truth is that the QR code itself isn't where privacy gets invasive. It's what happens after the scan. If your QR code sends someone to a page that immediately fires tracking pixels, drops cookies, and fingerprints their browser before they've even seen the content, that's where things get uncomfortable. The code was just the door. The room behind it is what matters.
I'm not sure every business owner thinks about this, but if you're sending scans to your own website, whatever tracking you already have on that site applies to those visitors too. Google Analytics, Meta pixels, retargeting scripts. The QR code didn't add that surveillance. Your website already had it.
The cleanest approach is to send QR scans to pages that do what you promised and nothing more. If the code says "view our menu," send them to the menu. Not to a landing page with a newsletter popup and a chatbot and a cookie consent banner the size of a billboard.
Keep it boring
The best scan analytics are boring in the best way. They tell you what's working, where it's working, and when. They don't pretend to know who people are. That restraint isn't a limitation. It's the whole point.
If you want to try this yourself, DSQR's free plan gives you scan analytics on up to five codes. Enough to see whether anyone is scanning those flyers you taped up last month.