LaunchTrust
Log inStart trial

Jurisdiction guides

Turkey KVKK App Requirements: An Indie Developer's Overview

Turkey's digital rules for indie apps, mapped: KVKK data protection, cookies, distance selling, consumer law, and accessibility signals to check.

Updated 2026-06-19turkey kvkk app requirementsSignals, not a verdict
Run free scanStart trial

If your app or web product is offered to people in Turkey — even by a solo developer based somewhere else — a handful of Turkish digital rules can apply to you. The headline one is KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698), Turkey's personal-data-protection law, which is broadly modeled on the GDPR but has its own regulator, its own disclosure ("aydınlatma") duty, and its own paperwork. If you collect emails, accounts, device IDs, or analytics from Turkish users, KVKK is the rule indies trip over first.

This is a practical, launch-time map of the main areas a Turkish audience triggers: KVKK data protection, cookies and tracking, distance selling, consumer protection, and accessibility. It is non-exhaustive by design — it points at the areas most likely to matter for a small product and the LaunchTrust signals that help you spot gaps, not a complete legal analysis. For your specific situation, talk to a qualified professional in Turkey.

The areas a Turkish audience triggers

1. Data protection — KVKK

KVKK governs the processing of personal data of people in Turkey. Like the GDPR, it expects a lawful basis, data-subject rights, and — distinctively — a clear, advance disclosure notice (aydınlatma metni) that tells users who the data controller is, what data you collect, why, on what legal ground, and to whom it may be transferred. Turkey also maintains a controllers' registry (VERBİS); whether you must register depends on thresholds and exemptions, so check your category rather than assuming you're in or out. Cross-border transfer of personal data out of Turkey has its own conditions — relevant if your backend, analytics, or auth provider sits abroad, which for most indies it does.

The most visible public signal is a Turkish-language KVKK notice that's present and linked. → KVKK Turkey notice detector. A general privacy policy alone is often treated as not enough, because KVKK expects the specific aydınlatma wording — so LaunchTrust checks for the KVKK-specific notice separately from your privacy policy. A user-facing way to delete an account and exercise data rights is also commonly expected.

2. Cookies and tracking

Turkey does not have a standalone "cookie law," but the Personal Data Protection Authority (KVKK Kurumu) has published guidance treating cookies and similar trackers as personal-data processing when they identify users. The practical takeaway for an indie: non-essential cookies and trackers — analytics, advertising, embedded third-party scripts — are commonly expected to rest on a clear notice and, depending on the cookie's purpose, user consent, rather than firing silently on first load. LaunchTrust can surface whether a consent mechanism is present and whether known trackers appear to fire. → cookie consent banner and third-party tracking. A present banner is a signal, not proof the flow meets the Authority's guidance.

3. Distance selling and consumer protection

If you sell to consumers in Turkey, the Law on the Protection of Consumers (No. 6502) and the Distance Contracts Regulation apply. They commonly require a pre-contract information set, a written/durable confirmation, and a withdrawal ("cooling-off") right — typically framed as a 14-day window — with specific exceptions for digital content and services (for example, where the consumer agrees to immediate performance and acknowledges losing the right). You're generally expected to disclose price, total cost, cancellation, and withdrawal terms before purchase. The public signals are a discoverable refund/cancellation policy and honest auto-renewal disclosure. → refund & cancellation policy and subscription auto-renewal disclosure.

4. Provider identification and contact

Turkish e-commerce rules (rooted in the Law on Regulation of Electronic Commerce, No. 6563) expect commercial online services to make basic provider-identification easy to find: who you are, a reachable way to contact you, and certain trader details. For an indie this usually means a clear identity and a working contact route a user can reach before they buy. → contact / imprint detector.

5. Digital accessibility

Turkey has accessibility obligations rooted in disability-rights law and public-sector standards, and accessibility is increasingly an expectation for consumer-facing services. There is no single private-app rule as crisp as a store guideline, so treat this as good practice that also reduces friction with users and reviewers. Several baseline signals are cheap to verify on a public page: a declared page language (and a Turkish lang value where your content is Turkish), a meaningful title, image alt text, and form-input labels. → page language, page title, image alt text, and form input labels.

What LaunchTrust checks (and what it doesn't)

LaunchTrust passively fetches your public URL and reports signalsdetected, not detected, or unable to determine — for the surfaces above. For Turkey specifically, the KVKK detector looks for the presence of a KVKK / aydınlatma notice and Turkish-language data-protection wording an anonymous visitor receives. "Detected" means that wording, link, or marker is present in the HTML; it does not confirm your aydınlatma text is adequate, that your consent flow is valid, that you've registered with VERBİS, or that you satisfy any Turkish rule. "Not detected" flags a gap worth a human look; "unable" means the page couldn't be assessed. It does not crawl private areas, does not read your backend, and never issues a verdict, score, certification, or any rating of where your app stands under KVKK. No scanner can. It's a fast way to find missing trust signals before a user, regulator, or app reviewer does.

A concrete example

A KVKK signal LaunchTrust reads as detected is a clearly labeled, linked notice in Turkish, for example:

<a href="/kvkk-aydinlatma-metni">KVKK Aydınlatma Metni</a>

A not detected result is a page with only a generic English privacy policy and no KVKK-specific notice — exactly the gap a Turkish user or reviewer flags. As always, "detected" is a signal that something is there, not a judgment that your aydınlatma wording meets KVKK.

How to address Turkish requirements before launch

  1. Publish a KVKK aydınlatma notice in Turkish and link it from your footer, signup screen, and app store listing. → KVKK Turkey notice
  2. Keep a clear privacy policy too — the KVKK notice complements, rather than replaces, your general policy. → privacy policy
  3. Check whether VERBİS registration applies to you, based on the current thresholds and exemptions, and review your cross-border transfer basis if your stack runs abroad.
  4. Add a notice-and-consent layer for non-essential cookies so analytics and ad scripts don't fire silently. → cookie consent banner
  5. State withdrawal, refund, and auto-renewal terms clearly before purchase. → refund & cancellation policy
  6. Expose provider identity and contact details users can reach. → contact / imprint
  7. Cover accessibility basics — a correct lang, a meaningful title, alt text, and form labels. → page language
  8. Offer in-product account and data deletion so users can exercise their rights. → account & data deletion
  9. Re-scan and confirm each gap flips to detected, then verify each surface yourself in a logged-out browser.

Check this in 30 seconds

Run your URL through LaunchTrust's free scanner. It fetches your live page and reports whether a KVKK / aydınlatma notice, privacy policy, cookie consent, refund terms, and contact details are detected, not detected, or unable to determine — so you can close obvious Turkey-facing gaps before you point Turkish traffic at your app. No signup, no private-page crawling: it reads the same public HTML your visitors get.

FAQ

Does KVKK apply to me if I'm a solo developer outside Turkey? Often, yes. KVKK is generally written to reach the processing of personal data of people in Turkey. If Turkish users can sign up, buy, or have their data collected, you're commonly in scope — and the aydınlatma notice and data-rights handling are the parts indies most often miss.

Is a GDPR privacy policy enough for Turkey? Usually not on its own. KVKK expects a specific disclosure ("aydınlatma") notice in Turkish covering the controller, purposes, legal grounds, and transfers. A GDPR policy is a good base, but the KVKK-specific notice is the signal a Turkish reviewer or user looks for.

Do I have to register with VERBİS? It depends. VERBİS registration is tied to thresholds (such as size and the nature of processing) and there are exemptions, so check your category against the current rules rather than assuming. LaunchTrust does not and cannot tell you whether you must register.

Does passing these checks confirm my app meets KVKK? No. LaunchTrust reports observable signals on your public pages; it does not confirm that your aydınlatma text, consent flow, VERBİS status, or practices satisfy KVKK or any other Turkish rule, and it issues no verdict, score, or certification. It is a compliance aid, not legal advice. For your situation, consult a qualified professional in Turkey.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.