Safety and privacy
A QR code hides a destination until it is scanned, so trust depends on context, labels, and destination quality.
Static QR codes can be privacy-friendly because they do not require a redirect provider, but the encoded destination must still be safe.
Key decisions
Label the destination
Tell scanners what will open: menu, Wi-Fi, contact card, review link, payment, or support chat.
Avoid sensitive data
Do not encode passwords, private notes, access tokens, or personal data in public QR codes.
Inspect public placements
Check printed codes for tampering, stickers, low contrast, or redirected destinations.
Safety tradeoffs
| Choice | Safer practice | Risk to avoid |
|---|---|---|
| Static code | No provider redirect required | Cannot change after printing |
| Dynamic redirect | Editable destination | Provider dependency and tracking concerns |
| Payment QR | Show recipient and amount clearly | Unlabeled payment requests |
QR safety checklist
- Scan every final print proof before public release.
- Keep destination URLs short, recognizable, and HTTPS.
- Avoid encoding confidential values directly in the QR payload.
- Inspect public stickers or posters for tampering during campaigns.
Frequently asked questions
Are static QR codes private?
They can be more private than redirect-based codes because the payload is encoded directly, but the destination website may still collect analytics.
How do I reduce QR phishing risk?
Use clear labels, trusted HTTPS domains, visible short URLs, and regular placement checks for public materials.