Tech & Innovation

QR Codes Are Back: How Onlure Uses Offline Attribution to Track Real Customers

Onlure TeamJanuary 20, 20255 min read

Remember when QR codes were a joke? Those pixelated squares on posters that nobody ever scanned?

Fast forward to 2025, and QR codes are everywhere—restaurant menus, concert tickets, payment apps, even Super Bowl ads. The pandemic forced everyone to adopt them, and now they're the secret weapon behind Onlure's offline attribution system.

Here's how we use QR codes to connect online creator shares to real-world customer visits—without invasive tracking or creepy cookies.

The QR Code Renaissance

QR codes went from "futuristic gimmick" to "essential tool" almost overnight:

  • 2019: 11% of Americans had ever scanned a QR code
  • 2023: 89% of smartphone users have scanned one in the past year
  • 2025: QR payments and QR-based attribution are the new standard

    • Why the shift? Three reasons:

    1. COVID-19 made contactless everything mandatory (menus, payments, check-ins) 2. Smartphones got native QR scanning built into cameras (no app needed) 3. Privacy regulations killed web cookies, making QR codes the best alternative for offline attribution

    The Problem with Online-Only Tracking

    Most creator marketing platforms (Instagram, TikTok, YouTube) only track online conversions:

  • Clicks on a link
  • Views of a video
  • Website visits

    • But what if your business is a physical location? A cafe, boutique, salon, or gym?

    When a creator shares your business and someone shows up in person, traditional analytics have no clue. You're left guessing whether that new customer came from:

  • The creator's Instagram post
  • A Google search
  • Word of mouth
  • Walking by and seeing your sign

    • Enter QR codes.

    How Onlure's QR Attribution Works

    Here's the magic behind Onlure's system:

    1. Every Drop Gets a Unique QR Code

    When a small business creates a Drop (an exclusive offer), Onlure generates a HMAC-signed QR code. This QR code is:

  • Unique to that specific Drop
  • Cryptographically signed to prevent fraud (more on this below)
  • Time-bound so it expires when the campaign ends

    • The business prints this QR code or displays it on a tablet at checkout.

    2. Creators Get Personal Share Links & QR Codes

    When a creator shares a Drop, Onlure mints a personal trackable link for them:

    `https://o.lure/c/{share_id}`

    This link also generates a custom QR code that the creator can share on Instagram Stories, TikTok videos, or printed flyers.

    3. Consumers Scan at Redemption

    When a consumer wants to redeem the offer, they:

    1. Scan the QR code at the business (shown on a phone or printed) 2. Onlure validates the code in real-time 3. The system checks: - Is this Drop still active? - Is there quota left? - Is the consumer within ~100m of the store? (geo-fencing prevents fraud) - Has this device already redeemed? (prevents duplicate scans) 4. If valid, the redemption is logged and coins are awarded: - +5 coins to the consumer - +5 coins to the creator who shared it - +5 coins to any secondary referrer (if applicable)

    4. Real-Time Attribution Dashboard

    The small business sees exactly which creators drove which customers:

  • Creator A: 23 redemptions
  • Creator B: 17 redemptions
  • Direct scans (no creator attribution): 8 redemptions

    • No guessing. No "brand awareness" hand-waving. Just hard data.

    The Technical Magic: HMAC-Signed QR Codes

    QR codes are easy to generate—anyone with a phone can make one. So how do we prevent fraud?

    HMAC (Hash-Based Message Authentication Code) Signing:

    Every QR code payload includes:

  • Drop ID
  • Share ID (if applicable)
  • Timestamp
  • Expiration window (usually 24 hours)
  • HMAC signature generated with a secret key

    • When someone scans the QR code, Onlure's backend: 1. Decodes the payload 2. Recomputes the HMAC using the server's secret key 3. Compares the signatures

    If they match → legit code. If not → fraud attempt blocked.

    This prevents:

  • Fake QR codes printed by competitors
  • Expired codes being reused
  • Tampering with Drop terms (changing discounts, quotas, etc.)

    • We also rotate HMAC keys every 90 days for extra security.

    Anti-Fraud: Beyond HMAC

    QR codes alone aren't enough. We layer on multiple fraud detection mechanisms:

    Unique Hash Guard: Every redemption generates a hash: ``` sha256(drop_id|share_id|device_fingerprint|day) ``` If someone tries to scan twice in the same day, the system blocks it.

    Geo-Fencing: Redemptions must happen within ~100 meters of the store. A creator in Vancouver can't redeem a Drop in Toronto.

    Rate Limiting: Each store device can only process 5 redemptions per minute. Prevents bots from spamming scans.

    Device Fingerprinting: We track (anonymized) device IDs. If the same device redeems 20 Drops in one hour, it's flagged for review.

    Why QR Codes Beat Links for Offline Businesses

    You might ask: "Why not just use trackable links?"

    Links work great for e-commerce, but they break down for physical stores:

    Friction: Asking someone to "click this link, then show proof at checkout" adds steps. QR codes are instant.

    Verification: A link can't prove someone is actually at the store. QR + geo-fencing can.

    Offline-first: QR codes work even with spotty Wi-Fi (they cache the payload). Links require constant connectivity.

    Universal: Every smartphone camera can scan QR codes natively (iOS and Android). No app download required.

    Real-World Impact: The Queen West Cafe

    A Queen West cafe ran a Drop: "Buy one latte, get one free (max 50 redemptions)."

    Results after 10 days:

  • 42 redemptions (84% of quota used)
  • 31 came from creator shares (tracked via QR codes)
  • 11 were direct scans (customers saw the QR poster in-store)

    • Attribution breakdown:

  • Creator A (coffee blogger, 8K followers): 18 redemptions
  • Creator B (local foodie, 4K followers): 9 redemptions
  • Creator C (lifestyle influencer, 12K followers): 4 redemptions

    • The cafe learned that micro-creators with engaged audiences (Creator B) drove almost as many visits as larger influencers (Creator C).

    Next campaign? They offered Creator A and B premium partnerships. That's data-driven decision-making.

    The Future: QR Codes Everywhere

    Onlure's QR attribution is just the beginning. Imagine:

  • Smart receipts: Scan a QR code after purchase to earn loyalty coins
  • Event check-ins: Track which creators drove ticket sales for concerts, markets, pop-ups
  • Multi-store chains: Franchise owners see which locations convert best from creator campaigns
  • Cross-platform attribution: Connect Instagram shares → TikTok shares → in-store visits in one dashboard

    • QR codes aren't just for menus anymore. They're the bridge between digital marketing and real-world commerce.

    Launch Your First QR-Tracked Drop

    ---

    *Curious about the tech behind Onlure? Email us at support@onlure.ca*

    Share this article