Can I See Who Scanned My QR Code?

What can you actually see when someone scans?

When a scan passes through a tracking redirect, the server captures a handful of technical fields from the HTTP request. The IP address is the anchor. From there, the server derives an approximate geographic location, usually at the city and country level. The user agent header reveals which browser and operating system made the request, and from that you can infer whether the scan came from an iPhone, an Android device, or a desktop.

The timestamp records the exact moment of the scan, which lets you build time-of-day and day-of-week reports. The referer header, when present, shows which web page embedded the QR image. All of this data is stored in the btools_qrcode_scans table and made available through a dynamic QR code with tracking dashboard.

In short, you see patterns and context. You see that someone in Austin opened your menu at 7:43 PM using an iPhone Safari browser. That is genuinely useful for marketing decisions, but it stops well short of identity.

What information is never captured?

Scan tracking does not capture names. It does not capture email addresses. It does not capture phone numbers. It does not capture social media handles. It does not access contacts, photos, or any other data on the scanning device. QR code scanning is simply the phone camera reading a URL and opening it in a browser, and the browser sends only the standard technical headers that every web request sends.

A scan also does not give you any control over the scanning device. You cannot install anything, you cannot push notifications, and you cannot see a person's location after they leave your landing page. If you want contact information, you have to ask for it on the destination page itself, through a form.

GPS coordinates are also not part of a scan. The location you see is derived from the IP address using a geolocation database, which is accurate at the city level most of the time but can be off by many miles, especially when the user is on a mobile carrier or a VPN. For a technical explanation, see the Wikipedia article on QR codes.

How should you handle privacy and disclosure?

Even though scan data is anonymous, responsible marketers disclose that they collect it. Your website privacy policy should mention that QR codes route through a tracking server and that IP, device, and approximate location are recorded. In jurisdictions covered by GDPR, CCPA, or similar laws, this disclosure is often a legal requirement rather than a courtesy.

If your QR code leads to a page that sets cookies or collects personal data through a form, the usual cookie banner and consent workflow apply to that page. The scan log itself is comparable to ordinary web server logs, which most privacy frameworks treat as legitimate operational data.

When in doubt, add a sentence near the QR code itself: "Scanning this code will take you to our website, where we record anonymous analytics." Transparency rarely hurts.

Can you tell if the same person scanned twice?

Roughly, yes. If two scans share the same IP address and the same user agent string within a short time window, it is reasonable to treat them as the same device. This is how most analytics tools distinguish between total scans and unique scans. But it is not an identifier in the legal sense. IP addresses rotate, mobile users switch between cellular and wifi, and multiple devices on the same network share an outbound IP.

For most campaign purposes, the difference between total scans and unique scans is what you care about. Total scans show raw reach and repeat engagement, while unique scans approximate the number of distinct people who saw your code. Both numbers are visible in a properly configured tracking dashboard, and both are useful.

How should you use the data responsibly?

Use scan data to improve placement, timing, and creative. If a specific flyer location generates almost no scans, reconsider where you printed it. If scans cluster around lunchtime, schedule related email campaigns for the same window. If most scans come from iPhones, test that your landing page looks right in mobile Safari first.

Do not try to use anonymous scan data to pressure, profile, or target individuals. That is neither feasible with the data available nor ethically sound. The point of QR tracking is to measure aggregate campaign performance, not to surveil scanners. For an overview of how anonymous analytics fits into broader measurement practice, the web analytics article on Wikipedia is a good reference.

If you run a nonprofit and want scan data tied to donation outcomes, see the QR code for nonprofits solution.

Frequently Asked Questions

Related Posts