Provable privacy — don't take our word for it

Every QR generator says "we respect your privacy." That sentence is unverifiable marketing. This page shows you how to verify ours in your own browser, in under a minute.

The architecture

QR Code Zebra is a static website. There is no application server, no API, and no database. When you open a tool page, your browser downloads HTML, CSS, and JavaScript — and from that point on, QR generation runs entirely on your device using the Canvas and SVG capabilities built into your browser.

Your WiFi password, contact details, wallet address, or any other content you type is never transmitted, because there is nothing to transmit it to. This is a structural property, not a policy: we could not collect your data even if we wanted to.

Verify it yourself (60 seconds)

1. Open any tool, e.g. the WiFi QR generator.
2. Open your browser's developer tools (F12 or Cmd+Option+I) and switch to the Network tab.
3. Clear the network log, then type your WiFi details and generate the code.
4. Watch the network log: zero requests. Type more, change colors, download the PNG — still zero. Your data stayed on your device.

Enforced by the browser, not by trust

We serve a Content-Security-Policy header that instructs your browser to refuse outbound connections to anything except this site. Even if our code were compromised, the browser itself would block an attempt to send your data elsewhere:

default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.tile.openstreetmap.org https://unpkg.com; connect-src 'self'; font-src 'self' data:; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

connect-src 'self' is the load-bearing directive: scripts on this page cannot make network requests to any third-party origin. You can confirm the header with curl -I https://qrcodezebra.com/.

Honest exceptions

A claim is only provable if its exceptions are listed:

• The location tool loads map tiles. The map-based location picker fetches map imagery from OpenStreetMap's tile servers and marker icons from unpkg.com — that's what the two extra img-src entries above allow. The tile server sees which map area you viewed (as it does for any map site); the coordinates you encode into the QR are still processed only on your device.
• Standard hosting logs exist. The static files are served by Cloudflare, which (like any host) processes requests at the network level. What it never receives is the content you type into the tools — that content produces no requests.

If we ever add anything that sends a byte — for example an anonymous usage counter — this page will document the exact request before it ships, and the tools will keep working with it blocked.

What this means for your codes

• Codes never expire — they encode your destination directly, with no redirect service that could shut down or start charging.
• No scan tracking — nobody (including us) sees who scans your codes, ever.
• No account to breach — we can't leak data we never had.

Questions about this page? Contact us. See also the privacy policy.