Project 01 · Built for Türkiye · In progress

KVKK Shield: An AI Privacy Guard for Turkish Companies

KVKK Shield is a small browser tool. It hides Turkish personal data — like ID numbers, phone numbers, and e-mails — right on the user's own computer, before that data can be sent to AI apps such as ChatGPT or Claude. It lets staff keep using AI tools while still following the KVKK data-protection law.

Browser Extension Runs On Your Computer No Servers KVKK (Law No. 6698) JavaScript

My role

Designer & Developer

Field

Privacy & AI Safety

Country

Türkiye (KVKK)

Where it runs

In the browser only

Stage

Prototype → Pilot

Built for

Turkish companies

01 The problem

AI apps have become a normal part of everyday work. A staff member pastes a customer list to write an e-mail. A support agent pastes a complaint to get a quick summary. An analyst pastes a report to "clean it up." This saves time. But in Türkiye, it is often against the law.

The Turkish data-protection law, KVKK (Law No. 6698), has strict rules about sending personal data outside the country. Article 9 of the law covers this, and the rules were updated in June 2024 to set out exactly when data may be sent abroad. Popular AI apps — ChatGPT, Claude, Gemini, Copilot — run on servers abroad. So the moment someone pastes a Turkish ID number (T.C. Kimlik No), a local phone number, a customer e-mail, or an IBAN into one of these apps, personal data has just left the country. Usually there is no consent and no record. That is a real KVKK risk.

Why a simple ban does not work

Many companies react by banning AI tools at work. In practice this fails. People just use the tools on their phones or personal accounts instead — which is worse, because the data still leaves, and now the company cannot see any of it. KVKK Shield takes the opposite approach: let people keep their tools, and make the data safe before it is ever sent.

There is one key idea here. The only safe place to clean the data is the user's own computer, after they finish typing and before the message is sent. A company firewall cannot help, because the message is already encrypted and on its way. So the guard has to live in the browser itself.

02 The solution: clean the text in the browser

KVKK Shield is a browser extension. It has no server, no login, and no tracking. All the work happens inside the user's own browser. When it finds personal data in a message, it replaces that data with a safe label (for example, a real ID number becomes [ID_1]) before the message is sent. So the message that actually leaves the computer has no real personal data in it.

Watch

It watches the AI chat box on a short list of approved AI websites.

Find

It checks the text for ID numbers, phones, e-mails, IBANs, and card numbers.

Hide

It swaps each one for a safe label and remembers the pairing in memory only.

Send

Only the cleaned text is sent. If something looks unclear, it pauses and asks.

Restore

In the reply on screen, it can put the real words back, just for the user.

For the user, it feels normal. They type as usual, and the AI answers as usual. But the private data never leaves their computer. If the tool is not sure whether something is private, it stops and asks instead of guessing. Safe is the default.

03 How it finds personal data accurately

Finding data correctly is the hard part. A simple rule like "hide any 11 digits" would also hide order numbers and product codes. Too many false alarms, and people switch the tool off. So KVKK Shield does not just check the shape of a number — it checks if the number is really valid. For a Turkish ID number, it runs the official math test that real ID numbers must pass.

detect-id.js

// Check if a Turkish ID number (TCKN) is really valid,
// not just "11 digits". This removes almost all false alarms.
function isValidTurkishID(value) {
  if (!/^[1-9]\d{10}$/.test(value)) return false;
  const d = [...value].map(Number);

  const oddSum  = d[0] + d[2] + d[4] + d[6] + d[8];
  const evenSum = d[1] + d[3] + d[5] + d[7];

  const check10 = ((oddSum * 7) - evenSum) % 10;
  const check11 = (oddSum + evenSum + d[9]) % 10;

  return d[9] === check10 && d[10] === check11;
}

It checks the most common types of personal data, and gives each one a clear label so the message still makes sense:

Type of data	How it is found	Safe label
Turkish ID number (TCKN)	Right shape + official math check	`[ID_1]`
Turkish phone number	`+90` / `05xx` patterns	`[PHONE_1]`
E-mail address	Standard e-mail pattern	`[EMAIL_1]`
Bank account (IBAN)	`TR` + valid checksum	`[IBAN_1]`
Card number	13–19 digits + Luhn check	`[CARD_1]`
Names of people / places	Simple on-device name list	`[NAME_1]`

The labels are numbered on purpose. If a message has two people and two phone numbers, the numbers keep them apart — "call [NAME_2] on [PHONE_2]" — so the AI's answer still makes sense and the real words can be put back correctly.

04 How it catches the message in time

KVKK Shield checks the message in two places, for safety. First, it cleans the text in the chat box the moment the user presses Enter or clicks Send. Second, it checks the message again at the last step, just before it goes out over the network. If the first check is ever missed, the second one still catches it.

check-on-send.js

// Step 1: clean the text when the user tries to send it.
function onSend(event) {
  const box = getChatBox(event.target);
  if (!box) return;

  const original = getText(box);
  const result   = cleanText(original);   // finds and labels private data

  if (result.unsure) {
    event.preventDefault();             // not sure? stop and ask the user
    showQuickReview(box, result);
    return;
  }
  setText(box, result.cleaned);         // real data never reaches the network
}

document.addEventListener("keydown", e => {
  if (e.key === "Enter" && !e.shiftKey) onSend(e);
}, true);

It runs first. The check happens before the AI website's own code, so it cannot be skipped.
It has a backup. A second check at the network step catches anything the first one misses.
It only runs where needed. The tool is active only on a short list of approved AI sites, so every other website is untouched.
It keeps working. If the page reloads parts of itself, the tool re-attaches to the new chat box automatically.

05 Before and after

Here is what changes. The user writes the same message either way. But the message that leaves the computer is very different.

✕ What the user types

Write a reminder for Ayşe Yılmaz (ID 10000000146), phone +90 532 000 11 22, e-mail [email protected], IBAN TR12 0006 ...

✓ What is actually sent

Write a reminder for [NAME_1] (ID [ID_1]), phone [PHONE_1], e-mail [EMAIL_1], IBAN [IBAN_1]

The AI writes a perfect reminder for [NAME_1]. On the user's screen, KVKK Shield can quietly put the real name and details back into the reply. So the user gets a finished message, and the private data never went anywhere.

06 Why you can trust it

A privacy tool should not collect data itself. KVKK Shield is built so this is easy to prove:

No server and no account. The tool has nowhere to send data, and makes no calls of its own. Anyone can check this in the browser.
Nothing is saved. The list that links labels to real values lives in memory only, during the chat, and is then thrown away. It is never written to disk.
A simple local log. The company can keep a record that says a piece of data was hidden (its type, time, and site) — but never the data itself. This gives proof that the tool is working.
Company settings. A company can decide which data types are required and which AI sites are allowed, and roll the tool out to all staff.
Safe by default. When in doubt, it stops and asks instead of sending.

How this fits KVKK

KVKK is about keeping personal data to a minimum and only using it with a proper reason. KVKK Shield does exactly that at the riskiest moment: it makes sure the private data simply is not in the message that leaves the country — and it keeps a record to show the rule is being followed.

07 Why it matters, and what's next

KVKK Shield is made for Türkiye. It solves a problem that Turkish companies face every single day. It is built for local needs from the start — it knows Turkish ID numbers, Turkish phone formats, and Turkish bank accounts. And it answers a hard legal question with a practical tool instead of a ban.

I bring the full skill set to build it — the design, the code, and more than ten years of cloud and data-protection work from US government and company projects. The next step is moving from a working prototype to a real product, side by side with the founders, lawyers, and companies who are its first users. I would also like to give back to the local tech community through mentoring and shared work along the way.

Want to talk about KVKK Shield?

I am happy to show how it works or set up a small test for your team.

[email protected]