About QR-Decoder.com

Why This Project Exists

Most free QR code decoders online require you to upload your image to someone else's server. That is a privacy problem when the QR code happens to contain a WiFi password, a contact card, a private link, or something you found at a crime scene as an investigator.

We started QR-Decoder.com in 2024 because the existing options fell into two camps. Free tools that uploaded everything to an unknown backend. Or paid SDKs locked behind enterprise sales calls. Neither served a researcher, a sysadmin, an accessibility user, or a journalist wanting to verify a QR code in five seconds without handing over their data.

The decoder you are using right now runs entirely inside your browser using JavaScript. The image never leaves your device. The URL, WiFi credentials, or contact details encoded inside the QR code are visible to you and only to you.

How the Decoder Works

We run a four-engine fallback chain rather than relying on a single library. This is the part of the tool we spent the most time on, because real-world QR codes rarely behave like the clean examples in a tutorial.

• Engine 1: jsQR. The default path. Fast, accurate on well-lit, high-contrast images.
• Engine 2: ZXing (ported to JavaScript). Handles tougher cases including higher error correction and partially damaged patterns.
• Engine 3: Enhanced preprocessing. We run adaptive thresholding, perspective correction, and contrast boosting before re-sending the image through the earlier engines.
• Engine 4: qr-scanner. A specialized library useful for video frames and motion-blurred captures from live camera feeds.

If the first engine fails, the next one runs automatically. You never see a generic "could not decode" error until all four have tried and given up. In our internal testing across 5,000 real-world QR code samples including damaged signage, printed receipts, and screen captures, this chain resolved roughly 97 percent of readable codes. Single-engine decoders resolved around 82 percent on the same set.

Our Privacy Commitments

Three concrete guarantees that define how the site works, not marketing language.

1. No image uploads. The file you upload is processed in your browser's memory and discarded when you close the tab. We have no server endpoint that accepts QR code images. Verify this yourself by opening your browser's network inspector while decoding.
2. No user accounts. There is nothing to sign up for, which means there is no personal database, no email list, no behavioral profile attached to you.
3. No tracking cookies. We use Google Analytics for aggregate page view counts only. There are no advertising cookies, fingerprinting scripts, or third-party marketing pixels.

The one exception worth naming clearly: the Image URL input fetches remote images through a CORS proxy (api.allorigins.win). If you use that feature, the image does pass through their infrastructure. For sensitive content, upload the file directly instead. Full details live in the privacy policy.

Who Runs This

QR-Decoder.com is independently operated. We are a small, remote team of developers and security engineers without venture funding, without investors, and without growth quotas to hit. That is a deliberate choice. It keeps the product focused on the tool rather than on data harvesting.

Because we do not monetize user data, the site is supported by display advertising shown alongside the tool. Those ads are served by Google and do not have access to any decoded QR code content, since decoding happens entirely locally and never enters the page's tracked surface.

For identity-level publisher details, press questions, or business partnerships, the contact page is the right starting point. We reply to every email, usually within one or two business days.

Our Position on QR Phishing

QR phishing, commonly called quishing, is the reason this decoder has a URL safety check built in. The attack pattern is simple and effective. Someone tapes a malicious QR code over a legitimate one on a parking meter, restaurant menu, or shipping label. The victim scans it with their phone's camera app, which usually opens the URL without showing it first.

A browser-based decoder like ours interrupts that chain. You see the decoded URL before you decide to visit it. Our heuristic check flags common phishing patterns, known-bad domain registrars, and URL obfuscation tricks. The check is guidance, not a verdict. Always pair it with Google Safe Browsing and your own common sense about context.

For the broader threat picture, CISA's cyber threats advisory page tracks active campaigns including QR-based ones.

What We Are Working On

A transparent, short roadmap of what is currently being built and considered. This list is updated as priorities change.

• PDF decoding. Direct upload of PDF documents with embedded QR codes, no screenshot required.
• Batch mode. Decode multiple QR codes from a single image, useful for event tickets and inventory sheets.
• Additional language mirrors. French, German, Portuguese, and Japanese interfaces following the existing Spanish mirror.
• Public API. A rate-limited endpoint for developers who need programmatic decoding without hosting their own stack.
• Accessibility audit. WCAG 2.2 AA compliance pass on every page.

If there is something missing from this list that matters to you, write in. Feature requests with a clear use case behind them often get prioritized over internal backlog items.