When you scan a QR code, you might wonder: does the person who created this code now know where I am? The honest answer is more nuanced than a simple yes or no — and understanding the nuance is the key to protecting yourself.
The short answer: no automatic GPS access
Scanning a QR code does not transmit your GPS coordinates to the code creator. The act of scanning itself is local — your phone's camera reads the code, decodes it as a URL or text string, and that's it. Nothing about that process involves sending your location to anyone.
But that's only half the story.
What the landing page CAN do
The moment your browser loads the URL hidden inside the QR code, several things happen automatically — before you tap a single button.
IP address logging. Every web server logs the IP address of every visitor. Your IP address can be cross-referenced with geolocation databases to estimate your city or metro area — usually accurate to within 10–50 miles. This is not your exact address, but it confirms you are in a particular region. For scammers, knowing you're in Chicago versus Mumbai helps them craft more convincing follow-up phishing messages.
Device fingerprinting. The landing page can read your browser type, operating system, screen resolution, installed fonts, and time zone — all without asking permission. Combined, these data points create a fingerprint that's often unique enough to identify a returning visitor even without cookies.
Tracking pixels. A single invisible image loaded from a third-party server fires an analytics event that logs your IP address, device type, and the exact time you opened the page.
Location permission prompts. If the landing page asks for location access and you tap "Allow," your GPS coordinates — accurate to within a few meters — are transmitted to the site. A well-designed phishing page may disguise this request as a routine step: "Allow [FakeBrand] to use your location to find your nearest store."
What a QR code landing page CANNOT access without permission
- Your GPS coordinates (without an explicit "Allow" prompt you approve)
- Your contacts
- Your files or photos
- Your microphone or camera
- Your real street address (IP geolocation doesn't reach that level of precision)
The permission wall is real — modern iOS and Android enforce it strictly. The risk is not that a QR code silently harvests your location; it's that a deceptive landing page tricks you into granting permission voluntarily.
Static vs. dynamic QR codes: an important distinction
There are two types of QR codes, and they handle tracking very differently.
Static QR codes encode the final destination URL directly. When you scan one, your phone connects straight to that URL. The code creator receives only what that URL's server logs: your IP address and device type.
Dynamic QR codes encode a short redirect URL that routes through the creator's platform before forwarding you to the final destination. This redirect step lets the creator see every scan in real time — including approximate location (from IP), device type, operating system, and scan timestamp. Dynamic codes are standard practice for legitimate marketing — brands use them to measure campaign performance. But if a scammer uses a dynamic QR code, they're building a detailed log of every person who scanned it: where they were, what device they used, and when.
The presence of a redirect doesn't automatically mean the code is malicious. What matters is whether you recognize the redirect domain and the final destination.
The practical takeaway
Most QR codes you encounter in daily life won't do anything alarming with your location. But before you scan an unfamiliar code — on a flyer, a poster, or a sticker — it's worth knowing what you're handing over just by loading the page: your approximate city, your device profile, and confirmation that you exist and are curious enough to scan.
If the code then prompts for GPS access or asks you to fill in a form, those are the moments where real location exposure happens. Decline permission requests from unfamiliar sites. Never enter your physical address on a page you reached by scanning a QR code unless you fully trust the destination.
For a broader look at what a QR code can and cannot access, see our guides on what information a QR code can steal and whether scanning a QR code can give someone access to your phone.
How QRsafer helps
QRsafer checks the destination URL before your browser loads anything. That means before any tracking pixel fires, before your IP is logged by an unfamiliar server, and before a location permission prompt appears on screen. If the destination looks suspicious — a newly registered domain, a known phishing redirect, a URL that doesn't match the brand on the sign — you'll see a warning and can decide not to proceed.
Learn how to check if a QR code is safe before you scan, and download QRsafer for iOS or Android to put that check in your pocket.