LaunchTrust
Log inStart trial

Detector registry

KVKK Aydınlatma Metni on Your Website: What to Check

Serving users in Turkey? See what a KVKK aydınlatma metni is, how a website check detects it, and how to spot a missing data-protection notice signal.

Updated 2026-06-19kvkk aydinlatma metni websiteSignals, not a verdict
Run free scanStart trial

If your app or store has users in Turkey, Turkey's personal-data protection law (KVKK, Law No. 6698) is part of your launch picture. One of the most visible expectations under KVKK is the aydınlatma metni — a data-protection disclosure ("information notice") that tells people what personal data you collect, why, on what legal basis, who you share it with, and what rights they have. For an indie developer or store owner, a missing or hard-to-find aydınlatma metni is a common, avoidable gap — easy to overlook when your site is otherwise built for an English-speaking audience.

This page explains what LaunchTrust looks for on your public page, how to read the result, how it maps to KVKK expectations, and how to close the gap if the notice is missing.

What LaunchTrust checks

The kvkk detector reads the public HTML of the page you point it at and looks for wording that indicates a KVKK / Turkish data-protection notice is present. It is a positive signal — meaning this is something you generally want detected if you serve users in Turkey. There is no login and no crawl of private pages: it inspects the markup any visitor receives.

Specifically, the detector scans the served HTML for Turkish data-protection terminology, matching (case-insensitively) any of these phrases:

  • kvkk — the common short name for the law
  • kişisel verilerin korunması — "protection of personal data"
  • aydınlatma metni — the disclosure / information notice itself
  • açık rıza — "explicit consent"
  • 6698 sayılı — a reference to Law No. 6698

What each result means here:

  • Detected — at least one of these phrases appears in the page HTML. The note echoes back a short snippet of the matched wording (the first ~40 characters) so you can see what triggered it. This signals the presence of KVKK-related language; it does not judge whether the notice is complete, accurate, or correctly linked.
  • Not detected — none of the matched phrases were found. The note is explicit that this is relevant if you serve users in Turkey — a site with no Turkish audience may legitimately have no such wording.
  • Unable to determine — the page could not be fetched or parsed (network error, blocked request, empty response), so no conclusion is drawn.

Because the check matches keywords in served HTML, it keys off wording, not legal sufficiency. A page that names the law but says nothing meaningful would still register as detected; a properly drafted notice that lives behind a script-injected modal or on a page the scanner did not fetch could read as not detected. Treat detected as "KVKK-related text appears on this page," not "your KVKK disclosure is correct or complete."

Why it matters

KVKK (Law No. 6698 on the Protection of Personal Data) is Turkey's primary data-protection regime, overseen by the Turkish data-protection authority. Two ideas drive the on-page signal:

  • The duty to inform (aydınlatma yükümlülüğü). When you collect personal data, KVKK generally expects you to inform the data subject — at the time of collection — about who the data controller is, what data is collected and why, who it may be transferred to, the method and legal basis of collection, and the individual's rights. On a website, that disclosure is typically published as the aydınlatma metni.
  • Explicit consent (açık rıza). For processing not covered by another lawful basis, KVKK relies on explicit consent that is specific, informed, and freely given. The information notice is what makes such consent "informed."

This is why the KVKK signal sits next to your other privacy signals rather than replacing them. A general privacy policy aimed at GDPR or US users is not automatically a KVKK aydınlatma metni — the law has its own expected contents and is usually published in Turkish. If you set non-essential cookies or load trackers for Turkish visitors, the same disclosure and consent thinking applies. Pair this check with /detectors/privacy-policy, /detectors/cookie-consent-banner, and /detectors/third-party-tracking, and see /jurisdictions/turkey for the broader regional view.

These expectations are commonly relevant whenever you process the personal data of people in Turkey — being based elsewhere does not by itself put you outside KVKK's scope.

A concrete example

Here is roughly what a detected result keys off in your HTML — a footer link and notice text using the recognized wording:

<footer>
  <a href="/kvkk-aydinlatma-metni">KVKK Aydınlatma Metni</a>
</footer>

<section id="kvkk">
  <h2>Kişisel Verilerin Korunması — Aydınlatma Metni</h2>
  <p>6698 sayılı Kanun kapsamında ... açık rıza ...</p>
</section>

Any one of those phrases — KVKK, aydınlatma metni, kişisel verilerin korunması, açık rıza, or 6698 sayılı — is enough to flip the signal to detected.

A not detected page is simply one where none of that wording appears anywhere in the served markup. For a site with no Turkish users that may be fine; for one that markets to or onboards users in Turkey, it is a gap worth closing.

How to address it

  1. Decide whether KVKK applies to you. If you collect personal data from people in Turkey — sign-ups, orders, analytics tied to identifiable users — assume the aydınlatma metni expectation is in scope, even if your company is elsewhere.
  2. Draft a real aydınlatma metni, not a translated boilerplate. Cover the expected contents: who the data controller is, what data you collect and for what purposes, the legal basis and method of collection, who you transfer data to, and the data subject's rights under KVKK.
  3. Publish it in Turkish and make it reachable. Put it on a stable URL and link it from your footer, sign-up forms, and any data-collection point — the notice should be available at the time of collection, not buried.
  4. Separate notice from consent. Where you rely on açık rıza, present the consent choice distinctly from the information notice, and keep it specific and freely given rather than bundled into a single "I agree."
  5. Align it with your other privacy surfaces. Make sure your cookie banner, tracker disclosures, and general privacy policy are consistent with what the aydınlatma metni says.
  6. Re-scan and confirm. After publishing, re-run the check so the KVKK wording registers as detected, and open the page yourself to confirm the notice is complete and linked where users actually provide data.

Check this in 30 seconds

Run your URL through LaunchTrust's free scanner. It tells you whether KVKK / Turkish data-protection wording (the aydınlatma metni signal) is detected on your public page, and it checks your privacy policy, cookie banner, and third-party trackers at the same time — so you can see your Turkey-facing privacy surfaces together before you point real traffic at the site. No signup and no crawl of private pages: it reads the same public HTML your visitors get.

FAQ

What is a KVKK aydınlatma metni? It is the data-protection information notice expected under Turkey's KVKK (Law No. 6698). It tells people whose data you collect who the data controller is, what data you collect and why, the legal basis and method, who you share it with, and their rights — and it is typically published in Turkish at the point of collection.

Is my GDPR privacy policy enough for Turkey? Not necessarily. KVKK has its own expected contents and terminology and is usually published in Turkish, so a GDPR-oriented policy may not fully serve as a KVKK aydınlatma metni. The detector also only matches Turkish-language KVKK wording, so an English-only policy will typically read as not detected.

The scanner says "detected" — does that mean my KVKK notice is correct? Not necessarily. Detected means recognized KVKK wording appears in your HTML. It does not verify that the notice is complete, accurate, published in the right place, or linked at every collection point. Treat it as "KVKK text is present," then review the notice itself.

Does this mean my app meets KVKK requirements? No. LaunchTrust surfaces signals — detected, not detected, or unable to determine — to help you find gaps before you launch. It does not certify your app, render a verdict, or provide legal advice. For your specific situation, consult a qualified professional, and see /jurisdictions/turkey for context.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.