QR Code Location Tracking: How to See Where Every Scan Happens (Free in 2026)
What QR code location tracking actually is
QR code location tracking is the practice of recording the geographic location of each scan — usually as city and country, sometimes as precise GPS coordinates — and associating it with the QR code that was scanned. It works only with dynamic QR codes, because dynamic codes route every scan through a tracking server before redirecting the user. Static codes encode the destination directly into the pattern, so there is no server in the loop and no scan to log.
Two methods produce the location data you see in your dashboard. Both have trade-offs, and most platforms use both depending on what permissions the scanner grants.
Method 1: IP-based geolocation (automatic, no permission needed)
When someone scans a dynamic QR code, their phone makes an HTTP request to the redirect server. That request carries the device's public IP address. The server looks the IP up in a geolocation database — MaxMind GeoIP2 is the industry standard — which returns an estimated city, region, and country. The user is then redirected to the destination URL, usually within a few hundred milliseconds.
This happens automatically on every scan. No prompt, no permission, no app install. The scanner has no idea it's being recorded — and to be clear, this is the same mechanism every web analytics tool uses to estimate visitor geography.
Accuracy is decent but imperfect:
- Country-level: roughly 99% accurate.
- City-level: 75–95% accurate, depending on the ISP and how the user's mobile carrier routes traffic. On some cellular networks the IP resolves to the nearest gateway city, which may be 50+ miles from where the scan actually happened.
- VPNs and corporate proxies will return the location of the proxy server, not the user.
For 80% of marketing use cases — knowing which cities, states, and countries your campaign is reaching — IP-based geolocation is good enough.
Method 2: GPS-based location via HTML5 Geolocation (precise, requires permission)
Some platforms also support GPS-precise location by serving a small interstitial page that calls the browser's HTML5 Geolocation API. The browser prompts the user: "This page wants to know your location." If they accept, the platform captures latitude, longitude, and an accuracy radius (typically 5–50 meters outdoors).
This is the same mechanism Google Maps uses. It's far more precise than IP geolocation — but only a fraction of scanners will grant permission. Expect 10–30% opt-in rates depending on the context and the explanation you provide. For inventory tracking, field operations, and event check-ins, that's often plenty.
QRelix captures both — IP-based location on every scan, and GPS coordinates with accuracy radius when the scanner opts in. The scan log stores latitude, longitude, and locationAccuracy fields alongside IP, device, browser, referrer, and timestamp, so you can analyze either layer independently.
What you can do with QR code location data
Location is the most commercially useful dimension of QR scan data. A few examples:
Campaign attribution by region. Print the same QR code in 10 cities and find out which city converted best — without designing 10 separate codes. Use it to decide where to expand a campaign, which DMA to double down on, or which underperforming markets to cut.
In-store vs. out-of-store scans. If you put a QR code on shelf tags and another on a billboard nearby, geolocation tells you which surface drove which scans. Static codes can't do this. Period.
Event ROI. Place a code on a conference badge or trade-show booth. Scans clustered around the venue (and the dates) are your in-event engagement. Scans from elsewhere are people sharing the code post-event — that's organic reach you couldn't measure otherwise.
Fraud and quishing detection. A code printed in Boston that suddenly gets 800 scans from Eastern Europe is a tampering signal — someone may have overlaid your code with a malicious sticker, or your code is being scraped and used in phishing.
Field operations and asset tracking. Scan a code on a piece of equipment in the field, and the GPS coordinates tell you where the asset is right now. Useful for service dispatches, audit trails, and proving service was performed where it was supposed to be performed. Our QR code asset tracking guide goes deeper on this.
Is QR code location tracking free? Yes — here's the catch
Most QR generators paywall location tracking. They'll give you a static QR code for free and then require a $15–60/month subscription the moment you want to see where scans are coming from. Dynamic QR codes themselves usually cost money on those platforms, never mind the analytics layer.
QRelix is free to start. You can create dynamic QR codes, see scan-by-scan location data (city, country, IP, plus GPS when the scanner opts in), and export the raw scan log to CSV without paying anything. No 14-day trial, no credit card.
The catch: you need a dynamic QR code, not a static one. Static QR codes can never be tracked — by anyone, ever — because there's no server in the request path to record the scan. If you've been generating static QR codes from a free generator and wondering why you can't see analytics, that's why. We've written about this in more depth in our free QR code tracking guide.
Create a free trackable QR code in QRelix — takes about 30 seconds, no credit card required.
How to set up QR code location tracking in QRelix (step-by-step)
The setup takes under a minute. Here's the exact flow:
- Sign up free at qrelix.com. No credit card. You'll land in the dashboard with a fresh workspace.
- Create a new dynamic QR code. Pick a destination URL (or vCard, WiFi, file, etc.). QRelix generates a short tracking URL like
qrelix.com/qr/<id>that's encoded into the QR pattern. - Download and deploy the code. PNG or SVG, both free. Print it, embed it in an email, add it to a product label — wherever it needs to live.
- Watch scans come in. Every scan logs IP-based city and country automatically. The scan log updates in real time.
- (Optional) Enable GPS prompts. If you need precision-grade GPS for field work or asset tracking, toggle the geolocation requirement on. Scanners will see a permission prompt; those who accept will have lat/lon captured to within ~5 meters.
- Export the data. Hit the CSV export to pull the full scan log — timestamps, locations, devices, referrers, everything — into a spreadsheet or BI tool.
That's the whole workflow. There's no "wait until you upgrade to Pro to unlock geolocation" gate.
Privacy and compliance — what you need to know
Location data is regulated. The rules depend on where your scanners are, not where you are.
IP-based location is generally considered low-sensitivity personal data under GDPR and CCPA, but it is personal data once associated with other identifiers. You should disclose collection in your privacy policy and avoid combining it with PII unless you have a lawful basis.
GPS coordinates are higher-sensitivity. Most regulators treat precise geolocation as sensitive personal data requiring explicit consent. The HTML5 Geolocation prompt handles browser-level consent automatically — users actively click "Allow" — but if you're storing the data or using it for profiling, your privacy notice should say so.
Retention. Don't keep raw scan logs forever if you don't need to. A common pattern: keep raw scans for 90–180 days for operational use, then roll up to anonymized aggregates (city + week + count) for long-term analysis.
Disclosure on the QR code itself. For sensitive contexts (healthcare, finance, anything involving minors), some teams print a small "Scanning this code records your approximate location for analytics" notice near the code. Legally required only in narrow cases, but good practice.
If you're scanning at scale in a regulated industry, talk to counsel. None of this is legal advice.
Common gotchas with QR code location tracking
A few things trip people up:
Static codes can't be tracked. Worth saying twice. If your code doesn't route through a server, there's no scan event to log. Convert to dynamic before printing anything you want to measure.
VPNs and mobile carriers skew results. A scan from a Verizon iPhone in Brooklyn might log as Newark, NJ, because that's where Verizon's nearest gateway is. Aggregate-level analysis is reliable; treating individual scans as ground truth is not.
Browsers cache redirects. If you change a dynamic QR code's destination, some browsers will cache the old redirect for a few minutes. Scans during that window still log, but the user lands at the old URL. Not a tracking bug — a CDN behavior to know about.
GPS permission fatigue. If you prompt every scanner for GPS access, opt-in rates collapse. Reserve the GPS prompt for cases where you genuinely need precision (asset audits, field-service dispatch). For marketing, IP-based location is plenty.
Time zones. Scan timestamps are typically stored in UTC. Your dashboard might display them in your account timezone, but if you're exporting to a BI tool, convert to the scanner's local time using the captured location — otherwise "9 AM scans" will look weird across continents.
QR code location tracking vs. URL tracking parameters
A common question: "Why not just use UTM parameters?"
UTM parameters tell you which campaign a scan came from — utm_source=billboard&utm_medium=qr&utm_campaign=summer2026. They don't tell you where the scanner was physically standing. Location tracking and UTMs are complementary, not substitutes.
The pattern we recommend: bake UTMs into the destination URL (so Google Analytics gets the source attribution), and rely on the QR platform's scan log for geographic data (so you get city/country breakdowns without bloating GA with high-cardinality dimensions). We covered this setup in detail in QR Code Tracking in Google Analytics 4.
How to act on location data once you have it
Collecting data is the easy part. A few patterns that actually move the needle:
Reallocate spend toward winning regions. If 60% of your scans come from three metros, double down on placement in those metros next quarter and pull back from the bottom 30%.
A/B test by region. Run two versions of a campaign in similar markets and use scan-per-impression as your primary metric. Cleaner than landing-page A/B tests because the QR scan itself is the conversion event.
Build a city heatmap for ops. For multi-location businesses, plot scans on a map to see which stores are getting QR-driven foot traffic and which aren't. That's a real operational signal — the underperforming stores either have bad code placement or a local awareness problem.
Flag anomalies. Set a baseline scan rate per region and alert when it deviates by more than 3x in either direction. Spikes mean something is working (or your code got shared); drops mean a code went down, got covered up, or got replaced with a malicious sticker.
The bottom line
QR code location tracking is one of the highest-leverage data points in physical-world marketing — and the only thing you need is a dynamic QR code routed through a server that logs the IP. Adding GPS is optional but precise. Both are free in QRelix; both are paywalled on most competitors.
Skip static codes if you want analytics. Use IP-based location for marketing-level decisions. Reserve GPS prompts for operations work where precision matters. Don't over-collect, and disclose what you're capturing.
Ready to see your first scan on a map? Create a free trackable QR code in QRelix — no credit card, no expiration on your code, full scan log including location from day one.
Ready to Create Your Own QR Code?
Generate free, trackable QR codes with real-time analytics. No sign-up required.
Create Free QR Code