QR site profile: the code is an address, not a key

1 minHSE officerOrg owner
Code on the sitepublic — an address, not a keyAnonymousreports a hazard — no loginSigned-in workerlive permits + first-aid + evacSupervisorthe full site profile
One code, three layers by who opens it — the code is an address, not a key.

Put a QR sticker on every site. Scanning it opens the site page — and the page itself expands into three layers by who opens it. The governing principle: the code is an address, not a key — the sticker is public by nature and grants no permission on its own.

The three layers

  • Anonymous (no login): sees the site name, hazard tags, the assembly point, and a "Report a hazard" form. Nothing sensitive — the precise asset location and internal data are never exported.
  • A signed-in worker (same organization): also gets the daily utility — the permits active here now, the nearest first-aid kit, and the live evacuation routes.
  • A supervisor: sees the full site profile — assets, inspections, incidents, energy, audits, employees… each section appears only with its permission.

Why it works

A sticker used only for rare reporting is never scanned. The worker's daily utility is what builds the scanning habit that feeds reporting. And every scan and report is a field fact.

Stickers: printing and revocation

From QR locations:

  • "Print stickers" generates an A4 sheet (a code + the site name + a short code) ready to post.
  • "Revoke" deactivates the code, so its public page returns 404.
  • "Reissue" rotates the code to a new value — so every printed sticker dies at once (safety for a replaced or lost sticker). Reports link to the location, not the code, so no history is lost.

Read next