Is a QR Code Generator Safe? Everything You Need to Know About Privacy

QR code generators sit in an interesting position from a privacy perspective. On the surface, you're just creating a scannable image. Underneath, depending on the tool you use, you may be handing a third-party service a log of every URL, piece of text, WiFi password, and contact card you've ever encoded.

This matters. And it's not talked about nearly enough.

How most QR generators work (and why that's a problem)

The typical architecture of a server-side QR generator looks like this:

1. You type your URL into a form on a website.
2. That URL is sent to the company's servers via an API call.
3. The server generates the QR code image and returns it to your browser.
4. You download the image.

Step 2 is the issue. Your URL — and everything it might reveal — is now on someone else's servers. For most URLs, that's fine in practice. For sensitive use cases, it isn't.

Consider: what if you're encoding a private document link? An internal company portal? A direct link to a patient intake form? A WiFi password? A personal contact card with your home address? All of that would transit through, and potentially be logged by, a third-party service you know nothing about.

Dynamic QR codes and privacy

Dynamic QR codes add a second, ongoing privacy concern beyond the generation step. Because every scan routes through the QR platform's redirect servers, the platform can log:

• The IP address of every person who scans your code
• Their approximate location
• Their device type and operating system
• The time and date of every scan

Platforms often market this as a feature — "scan analytics." And it is, if you want it. But it also means the scanning data of your customers, visitors, or patients is sitting in a third-party database you don't control. For healthcare, education, or any context with privacy obligations, this warrants careful consideration.

What "browser-only generation" actually means

Some generators — including Everly QR — generate QR codes entirely in the browser using JavaScript, without any server interaction.

Here's what happens when you use Everly QR:

1. You type your URL into the form.
2. A JavaScript library on the page takes that URL and computes the QR code pattern locally, in your browser tab.
3. The resulting image is rendered in the browser and offered for download.
4. Nothing is sent to any server. No API call is made. No data leaves your device.

You can verify this yourself using your browser's developer tools: open the Network tab, type a URL into the generator, and observe the outbound requests. For a browser-only generator, you'll see nothing relevant sent.

How to evaluate any QR generator's privacy posture

Before trusting a QR generator with sensitive data, ask:

• Does the tool generate QR codes server-side or client-side (in the browser)? Look for explicit language like "generated entirely in your browser" or check the network activity yourself.
• Is it generating static or dynamic codes by default? Dynamic codes, by definition, involve the platform's servers on every scan.
• Does the platform have a privacy policy? What does it say about encoded content? If they're generating codes server-side, what data is retained, and for how long?
• Is the tool open-source? Open-source QR generators are auditable — you can inspect exactly what the code does with your input.

When a QR code itself becomes a security risk

It's also worth noting the other side of QR code security: scanning a QR code created by someone else. This is the "QRishing" attack vector — malicious QR codes placed in public spaces that direct scanners to phishing pages, malware downloads, or payment portals.

As a scanner (not a generator), sensible practices include:

• Check the URL preview before tapping — most modern cameras show the destination before you commit.
• Be sceptical of QR codes placed in unusual locations or that feel out of context (parking meters, restaurant tables covered by a sticker).
• Use a QR scanner app that shows the full decoded URL rather than immediately opening it.

From the generation side — creating QR codes for your own use — the risks are about your data, not malware. Use a browser-only generator for anything sensitive.

The short version

Most QR generators send your data to their servers. For casual use (encoding a public homepage), this is low-risk. For anything sensitive — internal URLs, contact details, WiFi passwords, healthcare or legal content — use a generator that runs entirely in the browser and creates static codes. No redirect server ever needs to touch your data.

Everly QR is browser-only, generates static codes, and requires no account. Your data stays on your device from start to finish.