IB
Group
Legal Readiness
2026-05-24
10 min read

The lawsuit waiting in your vibe-coded app: GDPR, KVKK, and what founders owe customers in 2026

What the law expects you to do today, what happens when you do not, and the 360 degree review that finds it before a regulator does.

IB

Ibrahim Bayer

Head of Software Engineering, CTO, Digital Transformation Leader

Picture Monday morning. A user emails your support address: "I forgot my email, can you look up the account for jane@example.com?" Your AI-built support chat returns Jane's name, address, phone, last four digits of her card, and last 30 days of orders. The user is not Jane. The screenshot lands on social media by lunch. By Friday, the data protection authority has a file open. This is the kind of breach that vibe-coded apps create by default, and it sits at the intersection of every modern privacy law that applies to your business. If you have shipped an app that touches customer data, you are a data controller under the law. The penalties are not theoretical. The clock is not soft. This post explains what you actually owe customers in 2026 and how we cover all of it in a single 360 degree review. This is general information, not legal advice. Talk to a lawyer for your situation.

If you shipped the app, you are the data controller

The first thing most founders get wrong is assuming the platform they used (Lovable, Cursor, Replit, the cloud provider, the database vendor) carries the legal weight. It does not. Under GDPR, the data controller is whoever decides why and how personal data is processed. If you decided your app would collect customer addresses, you are the controller. The platforms are processors. Processors have obligations too, but the controller is the one regulators name first and ask first. Under Turkey's KVKK, the equivalent role is veri sorumlusu. The same idea applies under CCPA (business), LGPD (controlador), and DPDP Act (data fiduciary). The label changes. The responsibility does not.

Building your app with an AI tool does not change your role under the law. The AI tool is, at most, a processor. You are still the controller.

The regulations that apply, by region

Five regulations cover most founders shipping AI-built apps in 2026. Each has its own fines, notification timelines, and customer rights. The table below summarises what triggers them and what they cost when triggered. This is general information, not legal advice. Talk to a lawyer for your situation.

  • GDPR (EU + EEA): applies if you have any user in the EU. Max fine: 20 million euros or 4% of global annual revenue, whichever is higher (Article 83). Breach notification: 72 hours from awareness (Article 33).
  • KVKK (Turkey, Law 6698): applies if you have Turkish users. Administrative fines reach into the millions of Turkish lira. The data controller is named in the public decision.
  • CCPA + CPRA (California): applies if you do business in California and meet revenue or scale thresholds. Statutory damages: 100 to 750 US dollars per record per incident.
  • LGPD (Brazil): applies to processing of Brazilian residents' data. Fines up to 2% of revenue in Brazil, capped at 50 million reais per incident.
  • DPDP Act (India, 2023): applies to processing of personal data in India. Fines up to 250 crore rupees per incident (roughly 30 million US dollars).

If your app has a single EU user, GDPR applies to the entire app. The same logic applies to KVKK and DPDP. You do not get to opt out by being based somewhere else.

The 72-hour breach-notification clock and why founders miss it

GDPR Article 33 gives you 72 hours to notify the regulator after a personal-data breach. KVKK in Turkey gives you a similar window. The clock starts from when you become aware, not when you decide to act, finish your investigation, or feel ready to talk about it. Founders miss this clock for three reasons. They had no error monitoring, so awareness came from a customer email instead of an alert. They were not sure if it qualified as a breach (most do). Or they wanted to fix it first and notify second. None of those reasons are defenses if the regulator looks at the timestamps.

Customer rights your AI-built app already has to support

Both GDPR and KVKK give your customers specific rights that your app must honor today, not when you get around to it. Vibe-coded apps almost never have these endpoints. They are not optional.

  • Right of access: a customer can ask for everything you hold on them. You have one month (GDPR Article 12).
  • Right to erasure (the 'right to be forgotten'): a customer can ask you to delete their data (GDPR Article 17). Limited exceptions apply.
  • Right to portability: a customer can ask for their data in a portable format (GDPR Article 20).
  • Right to rectification: a customer can ask you to fix incorrect data about them.
  • Right to object: a customer can object to certain processing, particularly marketing.
  • Equivalent rights exist under KVKK, CCPA, LGPD, and DPDP Act.

Our 360 degree review covers security, function, and legal data handling

Most engineering reviews stop at security. Most legal reviews never look at your code. The result is that founders pay for both and still have the gap in the middle. Our 360 degree review for vibe-coded apps covers all three in one pass.

  • Security: authorization, rate limits, secrets handling, error monitoring, deployment hardening.
  • Function: performance basics, reliability, the production-readiness checklist that decides whether your launch sticks.
  • Legal data handling: data inventory, processing-purpose review, the rights endpoints (access, erasure, portability), breach-notification readiness, and a written checklist your team can hand to a lawyer.
  • Output: one written report covering all three, with the priority of each issue and the cost to fix. You keep the report whether you hire us or not.

We are not a law firm and we do not give legal advice. We do help your lawyer find the gaps that matter. The 360 degree review is what they need from us to do their job well.

Why we can do this for you

We have spent 20+ years building software, including the open-source toolkit (@ibrahim-bayer/strapi-http-toolkit) that Strapi officially lists on its integrations directory at https://strapi.io/integrations/strapi-http-toolkit. We run production apps that handle real personal data (Kendin Bak at https://kendinbak.ibgroup.dev, Seyir Yardımcısı at https://navigasyon.ibgroup.dev) and the multi-tenant e-commerce platform Lean Cart at https://leancart.global, where customer-data isolation is the entire product. We work through Upwork escrow with only 10% upfront, so if we miss the mark you do not pay for it.

Find the gap before the regulator does

Most AI-built apps fail at least one of the requirements above on day one. The fix is usually a focused sprint, not a rebuild. The cost is small. The cost of finding out after a regulator opens a file is not. Run the 360 degree review now, get the written report, and hand it to your lawyer with confidence. You will know exactly where you stand.

Get a free 360 degree review including the legal data-handling checklist. Written report. No pressure. Pay safely through Upwork if you choose to fix with us.

Find the gap before the regulator does

Free 360 degree code review covering security, function, and legal data handling. Written report you keep either way.

Get a free 360 degree reviewSee our coaching service

Related Posts

The coin flip nobody told you about: half of AI-built apps will leak

Picture Monday morning, a user asks your support chat to look up jane@example.com, and your AI happily returns her full address. 40 to 62% of AI-built code has this kind of hole.

Read More

Today, your AI app probably lets one customer read another's invoices

Privilege escalation up 322% in 2026, with a password-reset enumeration scenario and the six-pattern fix.

Read More
Back to Blog