How Do Trackable QR Codes Work?
A plain-English walkthrough of the redirect chain, the data captured at each step, and why a tracked scan still feels instant to the person holding the phone.
A trackable QR code encodes a short URL like app.qrcodefordonation.com/q/abc123. When someone scans it, their phone opens that URL. The server records the scan (IP, device, city, country, timestamp, referer), then sends back an HTTP redirect to the real destination. The whole handshake takes a fraction of a second and the visitor sees the final page as if they had typed it directly.
What a trackable QR actually contains
People often think a tracked QR code holds the destination address. It doesn't. The pixels on the page encode a short URL pointing to a server you control. With our platform, that URL looks like app.qrcodefordonation.com/q/{slug}, where the slug is a 3 to 25 character handle you pick or one we generate.
This indirection is the entire trick. The phone has no idea anything special is happening. It reads a URL, opens it in the browser, and waits for a response. The server is the part that makes the QR trackable, not the printed code itself.
If you skip the redirect step and bake a destination like https://example.org/donate straight into the code, you get a static QR. Static codes work, but they tell you nothing about who scanned them and you can't change where they point. A dynamic QR code generator is the prerequisite for any tracking at all.
The redirect chain step by step
Here's the sequence that runs every time someone points their camera at a tracked QR:
- The camera app decodes the pixel grid into a URL string.
- The phone opens that URL in the default browser.
- The browser sends a GET request to /q/{slug} on our server.
- The server looks up the slug in the database and finds the matching destination.
- The server writes a row to btools_qrcode_scans with the request metadata.
- The server returns a 301 or 302 response with a Location header pointing to the real destination.
- The browser follows the redirect and loads the final page.
The redirect itself is a normal HTTP response, the same kind that powers URL shorteners and any "moved page" handler. If you want the formal definition, the Wikipedia HTTP redirect article walks through the status codes and how clients handle them.
What data the server records
Every HTTP request carries a small bundle of metadata. The server reads what's useful and stores it against the scan record:
- IP address. Captured from the connection. Used for geo lookup and basic abuse detection.
- User agent. A string the browser sends that identifies the OS, device, and browser. This is how the dashboard shows iPhone vs Android vs desktop.
- City and country. Derived from the IP address using a geolocation database. Accurate to the city level for most public IPs, less so on cellular networks.
- Timestamp. Server time when the request arrived, used for hourly and daily charts.
- Referer. If the scan came from a webpage rather than a printed code, the browser may pass the source URL.
The platform doesn't read the camera, the photo library, contacts, or anything that requires app permissions. Everything you see in the dashboard comes from a regular web request. To set up this kind of capture, see the dynamic QR code with tracking setup page.
Why redirects feel instant
People worry that adding a hop slows things down. In practice, the extra step is invisible. A redirect is one round trip with a tiny payload. No HTML, no images, no JavaScript. The server writes one database row and sends back a header response measured in bytes.
On a normal mobile connection, that round trip takes somewhere around 50 to 150 milliseconds. The visitor's browser then loads the actual destination page, which is the slow part anyway. The redirect is so fast that the phone often shows the destination URL in the address bar before the user has even lifted their thumb off the screen.
One quiet benefit: because the server picks the destination at request time, you can change it without reprinting anything. A poster at an event can point at one URL on Friday and a different URL on Saturday. The QR pixels never change.
Privacy and consent
Tracked QR codes don't identify a specific person. They identify a request. That said, IP addresses are personal data under several regional laws, so a few practices are worth following.
- Mention QR scan tracking in your privacy policy alongside other web analytics.
- If you operate inside the EU or UK, treat the IP and location fields like you would Google Analytics data.
- Don't tie the scan record to a logged-in user identity unless your privacy policy says you do.
- Set a retention window. Old scan rows rarely earn their keep after a year.
None of this is hard. It's the same housekeeping any site that runs analytics already does. The payoff is real numbers about which posters worked, which cities your campaign reached, and which times of day people actually engaged.
Frequently asked questions
What is a trackable QR code?
A trackable QR code encodes a short redirect URL on a server you control. When scanned, the server logs the scan event and then forwards the visitor to the real destination.
What data does a trackable QR code capture?
Common fields include IP address, user agent (device and browser), city and country derived from IP, timestamp, and HTTP referer when available.
Does the redirect slow down the scan?
No. A 301 or 302 HTTP redirect typically completes in under 100 milliseconds. The visitor sees no visible delay.
Can I change the destination after printing?
Yes. Because the QR encodes the short URL, you can edit the final destination in your dashboard at any time without reprinting the code.
Are trackable QR codes private?
They collect aggregate analytics, not personal identity. IP addresses are stored for geo lookup. Disclose tracking in your privacy policy if you operate in regions with consent rules.
Keep reading
Make your next QR code trackable.
Generate a dynamic QR code, point it anywhere, and see every scan in your dashboard.
Create a trackable QR →