QR codes are everywhere — restaurant menus, event tickets, payment links, WiFi credentials, business cards. Generating one is trivially easy: type some text, click a button, get a scannable image. But behind that simplicity is a privacy question most people never consider: did the website you used to generate the QR code record what you encoded?

This guide explains how QR code generators work, which ones collect your data, how to verify a generator is safe, and best practices for both generating and scanning QR codes in 2026.

How QR code generators work

A QR code is a two-dimensional barcode that encodes text using a standardized pattern of black and white squares. The encoding algorithm (Reed-Solomon error correction) is well-defined and computationally lightweight — a typical QR code can be produced in milliseconds on any modern device.

Because the algorithm is simple and public, QR code generation does not require a server. A browser can run the encoding entirely in JavaScript, producing a QR code image without ever sending your data across the network. This is exactly how a client-side generator works: you type your text, the browser encodes it locally, and you get a downloadable PNG or SVG.

The problem? Many popular QR code generators do not work this way. Instead, they send your input to a server, generate the QR code there, and return the image. The difference is invisible in the browser — the resulting QR code looks identical — but the privacy implications are enormous.

What data do QR code generators collect?

A server-side QR code generator sees everything you type into it. Depending on what you are encoding, that can include highly sensitive information:

QR code typeExample data sent to serverRisk if collected
URLhttps://mycompany.com/secret-pageExposes unpublished URLs, staging sites, internal dashboards
WiFi credentialsSSID: HomeNetwork, Password: MySecret123Reveals WiFi password to the generator's server
Contact card (vCard)Name, phone, email, address, companyFull contact profile harvested for spam or resale
Payment infoBank account, UPI ID, crypto addressFinancial data logged on a third-party server
Event ticketsTicket ID, seat number, access codeTicket fraud, unauthorized duplication
Text / SMSArbitrary text contentTrade secrets, passwords, private messages

A server-side generator does not need to be malicious to be risky. The data may be logged for debugging, stored in analytics, accidentally exposed through a misconfigured database, or accessed by a compromised employee account. The generator itself may be legitimate — the risk is that your data now exists on a system you do not control.

The server-side generation trap

Many of the top-ranking QR code generators on Google are server-side. They rank well because they offer "advanced features" that require a server: tracking pixels, dynamic QR codes that can be edited after printing, analytics dashboards showing scan counts and locations.

These features are legitimate for marketing use cases — knowing how many people scanned your billboard QR code is useful. But the architecture that enables those features also means every QR code you generate passes through the vendor's server. If you are generating a QR code for your home WiFi, a vCard, or a private URL, those features are irrelevant — and the server-side architecture is an unnecessary risk.

The trap is that the generator's marketing page rarely distinguishes. It advertises "free QR code generator" without clarifying whether the generation happens on your device or on theirs. The user types their WiFi password, clicks generate, and never realizes the password was transmitted to a third-party server.

How to verify a QR generator is client-side

The verification method is the same as for any online tool. Open your browser's DevTools and follow these steps:

  1. Open DevTools (F12) and go to the Network tab.
  2. Enable Preserve log and filter to Fetch/XHR.
  3. Clear the existing log.
  4. Type a test text into the QR generator — something unique like "test-qr-a1b2c3 privacy check" so you can spot it in a payload.
  5. Click Generate.
  6. Inspect every network request. Look for any request whose payload contains your test text. Check the Payload or Request tab of each request.
  7. If you find your test text in a request body, the generator is server-side. If no request contains it, the generation is client-side.

A legitimate client-side generator will show zero network requests containing your input. The QR code appears instantly because the encoding ran in your browser. LoveMyFile's QR Code Generator works exactly this way — you can verify it yourself with the steps above.

QR code generation best practices

  1. Use a client-side generator for any QR code containing non-public information. WiFi passwords, contact details, private URLs, and payment information should never transit a third-party server during generation.
  2. Prefer SVG output over PNG when possible. Vector QR codes scale perfectly to any print size without pixelation. A client-side generator can produce both formats without server involvement.
  3. Choose the right error correction level. Low (L, ~7%) is fine for digital displays. Medium (M, ~15%) is the standard default. High (H, ~30%) is recommended for print, especially if the code might get dirty or partially obscured. A good generator lets you choose.
  4. Test-scan before printing. Scan the generated QR code with at least two different devices (iOS and Android) before committing to a print run or sticker order.
  5. Do not encode secrets in QR codes that will be publicly displayed. A QR code on a printed poster is readable by anyone with a phone camera. If the content is sensitive, the QR code should be distributed privately — not posted in a public space.

Scanning QR codes safely

Generating QR codes securely is only half the story. Scanning them safely is equally important, and the risks are different:

  • Preview the URL before opening. Most modern phone cameras and QR scanner apps show the decoded URL before navigating to it. Read it. Look for misspellings, unexpected domains, or URL shorteners that hide the true destination.
  • Be wary of QR codes in public spaces. Sticker-based attacks — where a malicious QR code is placed over a legitimate one on a parking meter, menu, or advertisement — are increasingly common. If a QR code looks like a sticker on top of another surface, do not scan it.
  • Use your phone's built-in scanner. Both iOS (Camera app) and Android (Google Lens or Camera) have built-in QR scanning that previews the URL before opening. Third-party scanner apps may have their own motivations — ads, analytics, data collection.
  • Never scan QR codes from untrusted emails or messages. A QR code in an unsolicited email is the same as a suspicious link — it can lead to a phishing site or trigger a malicious download.

Static vs dynamic QR codes

A static QR codeencodes the data directly into the pattern. Once printed, the content cannot be changed. The code "https://lovemyfile.com" will always resolve to that URL. Static codes can be generated entirely client-side.

A dynamic QR codeencodes a short redirect URL that points to the vendor's server. The vendor can change the destination at any time. This is useful for marketing campaigns where you might update the landing page after printing, but it introduces two risks: the vendor controls where your audience is redirected, and the vendor collects scan analytics (location, device, time).

Dynamic QR codes always require a server. If a generator offers dynamic codes, it is by definition server-side for those codes. If you only need a static code, use a dedicated static generator that does not have server-side infrastructure at all.

Related privacy practices

The principle behind safe QR code generation applies to many other tools: if the operation is mathematically simple and well-defined, there is no technical reason to send your data to a server. For example, our password strength guide explains why you should never type your password into an online "strength checker" — the same server-side risk applies. Similarly, understanding online file tool privacy covers the broader pattern across all categories of web-based tools.

For developers, the same vigilance extends to code formatters. The JSON formatters comparison details why pasting JSON into a server-side formatter can leak API keys, database schemas, and proprietary business logic.

Bottom line

QR codes are simple to generate and easy to take for granted. But the same input you type into a generator — a WiFi password, a vCard, a private URL — is visible to the server if the generator is server-side. For non-public data, always use a client-side generator and verify with DevTools that your input never left your device.

Generate QR codes privately

Use the QR Code Generator on LoveMyFile — entirely client-side, no server involvement, no data collection. Your URLs, WiFi credentials, and contact details stay on your device. Verify it yourself with DevTools.