Corporate & Legal Compliance
Law Enforcement Guide

Law Enforcement Guidelines

Last updated: 13.02.2026 · Version: 1.0

This guide explains how legal data requests submitted by law enforcement and other competent public authorities (courts, Offices of the Chief Public Prosecutor, regulatory/administrative authorities, etc.) are received, verified, assessed, and answered in connection with services operated by WIN (“Platform”).

This guide is a standard that aims both:

  • to enable public authorities to submit requests through the correct channel and with the correct content, and
  • for WIN to handle requests in a manner that is lawful, proportionate, secure, and recorded.
⚠️
  • WIN keeps personal data and content confidential as a rule; it shares data only in legally mandatory or legally authorized situations and within procedurally proper requests (see Section 3). - In all requests, identity/authority verification is performed; additional information may be requested for incomplete, vague, or overly broad requests, or the request may be rejected. - Responses are provided under the principle of data minimization; unnecessary/disproportionate scope is narrowed and, where possible, masking/segregation is applied. - In emergency situations (risk to life or imminent/irreparable harm), where required conditions are met, WIN may share limited data (see Section 8). - This guide does not relieve WIN of obligations arising from applicable law; mandatory provisions in the relevant jurisdiction are reserved.

Related documents

This guide should be read together with the following WIN documents:

Privacy PolicyKVKK Information NoticeTerms of UseCommunity Guidelines🇪🇺DSA Compliance PageIllegal Content Notice FormTransparency ReportsBiometric Data ConsentExplicit Consent Texts

Section 1: Purpose, scope, and legal basis

This section explains (i) the purpose of the guide, (ii) which types of requests and authorities it covers, (iii) legislative references and the geographic scope approach.

1.1 Purpose

The main purposes of this guide are:

  • To ensure requests from public authorities are received in a procedurally proper manner,
  • To assess requests under the principles of lawfulness, necessity and proportionality, and data minimization,
  • To ensure responses are produced and transmitted in a secure manner,
  • To record processes and, where appropriate, generate input for transparency reporting,
  • To prevent fraudulent/misleading requests, unauthorized disclosure, and abuse.

1.2 Scope (which requests / which authorities)

This guide covers the following types of requests (including but not limited to):

  • Information/document requests: Account/subscription information, traffic data/logs, content data, etc.
  • Data preservation (preservation / legal hold) requests: Preventing deletion or ensuring preservation of data with respect to a specific account or content.
  • Emergency requests: Limited data sharing in situations involving risk to life or imminent/irreparable harm.
  • Content/account measures: Allegations of illegal content, access blocking/removal, account freezing, etc. (different regimes may apply depending on geographic targeting).

This guide is addressed to requests from the following authorities and competent institutions:

  • Courts and other judicial bodies,
  • Offices of the Chief Public Prosecutor and judicial authorities,
  • Law enforcement (including police/gendarmerie and specialist units),
  • Regulatory/administrative authorities, to the extent applicable (e.g., digital services/communications/competition authorities in certain countries).
⚠️

1.3 Geographic context and applicable regimes (summary)

The countries/regions where WIN provides services and the data hosting architecture may affect the procedures and legal bases applicable to requests.

In Turkiye, Law No. 5651 and related secondary legislation are taken into account regarding hosting provider liability, traffic data/log retention obligations, and content actions. Depending on the type of content, provisions of the Turkish Penal Code (TCK) may apply (e.g., obscenity; confidentiality of communications/private life; unlawful obtaining/disclosure of data).

1.4 Legal basis (general reference)

WIN’s approach to law enforcement requests is structured taking into account in particular the following rules:

  • Law No. 6698 on the Protection of Personal Data (KVKK).
  • Communique on the Procedures and Principles to be Complied with in Fulfilling the Disclosure Obligation (content/format of disclosure; linked to notice/transparency approach).
  • Regulation on the Transfer of Personal Data Abroad (cross-border data transfer framework; linked in particular to hosting/supplier architecture).
  • Law No. 5651 (publications on the internet; hosting provider liability and traffic data/log obligations).
  • Turkish Penal Code No. 5237 (TCK) — in particular:
    • Art. 226 (Obscenity),
    • Art. 132–140 (Offenses against private life/communications; unlawful recording, capture, or disclosure of personal data).
  • Electronic Communications Law No. 5809 (to the extent relevant to assessments linked to communications infrastructure and security).
  • GDPR (in the context of EU users and cross-border data transfer).
  • Digital Services Act (DSA) (where services are provided in the EU; communication with authorities and order/notice processes).

Note: This list is illustrative; additional legislation or different procedures may apply depending on the countries where WIN operates.

Section 2: Definitions

This section defines key concepts used throughout the guide.

TermExplanation
Law enforcementAuthorized units tasked with preventing and investigating crime, including police/gendarmerie and specialist units.
Competent public authorityAn institution legally authorized to direct requests, such as a court, prosecutor’s office, law enforcement, or the relevant regulatory/administrative authority.
Legal request / legal processA written request/decision/order that is properly formalized and transmitted by a competent authority and has a legal basis.
Traffic data / logTechnical records generated during provision of the service (e.g., IP, time stamp, device/session information, etc.) — scope may vary depending on applicable law and technical architecture.
Content dataUser-generated content such as profile content, photos/videos, messaging content, reporting/complaint attachments, or content arising during the service.
Account dataData related to the account such as account identity and profile information, verification status, preference settings, subscription/purchase records.
Preservation (preservation / legal hold)Temporarily placing specific data under “legal preservation” to prevent deletion or overwriting.
EmergencySituations involving imminent and serious risk to a person’s life, bodily integrity, or similar fundamental interests.
Data minimizationNot sharing data that is not necessary for the requested purpose; narrowing scope and, where possible, applying masking.

Section 3: Core principles in assessing requests

This section explains the assessment principles and decision criteria WIN applies to all public authority requests.

3.1 Lawfulness and procedural compliance

WIN shares data only within requests/decisions that:

  • are transmitted by a competent authority,
  • are communicated in a procedurally proper manner,
  • have a clear legal basis.

3.2 Necessity and proportionality (scope control)

Requests are assessed with respect to scope, duration, and data categories in connection with the purpose. For overly broad or vague requests:

  • narrowing of scope is requested,
  • linkage to a specific account/incident is required,
  • the request may be rejected or only partially fulfilled if necessary.

3.3 Data minimization and segregation

WIN adopts the principle of achieving the purpose with the least data. To the extent applicable:

  • data belonging to third parties is filtered out,
  • unnecessary fields are masked,
  • output is produced limited only to the relevant time range/incident only.

3.4 Security, privacy, and integrity

Requests and responses are:

  • handled/transmitted by authorized teams,
  • under the principle of access only as needed,
  • using secure communication methods.

3.5 Transparency and user notification

As a rule, WIN adopts a notification approach regarding requests affecting users. However, notification may be delayed or not provided if:

  • it is prohibited by law,
  • there is a risk of compromising an investigation,
  • there is a risk to a person’s safety
    (see Section 9).

3.6 Record-keeping and accountability

WIN:

  • records requests and responses in internal systems,
  • leaves an audit trail where necessary for audit/review,
  • uses them statistically in transparency reporting to the extent appropriate (see Transparency Reports).

Section 4: Request channels and authentication

This section explains which channels public authorities may use to submit requests, how WIN performs identity/authority verification, and accepted formats.

4.1 Official communication channels

  • Official request email: support@whoisnextapp.com (At this stage, designated as the single channel for all corporate and legal requests.) - Emergency (24/7): WIN does not currently operate a separate 24/7 emergency telephone or on-call system for public authorities; emergency requests must also be sent via official email. Operational responsibility in this regard lies with the relevant law enforcement units. - KEP / UETS: There is currently no active KEP or UETS address. Official notifications and legal requests are accepted via the company address or corporate email channels. - Postal / service address: WIN TECH Bilişim Organizasyon ve Ticaret A.Ş. (For address details, please see Terms of Use Section 16.4.)

Note: For EU authorities, the DSA Art. 11 contact point, if published, should be followed via the DSA Compliance Page.

4.2 Request format and accepted documents

Requests are expected to meet the following characteristics:

  • Be written and official in nature (wet ink / secure electronic signature / via official systems),
  • Clearly show the identity and authority of the requesting authority/personnel,
  • Include file/document number, date, and legal basis,
  • Have a defined scope (account/incident, data categories, time range).

WIN does not process “oral” requests made by telephone only or applications whose official identity cannot be verified.

4.3 Identity and authority verification (checks performed by WIN)

When assessing requests, WIN may perform the following checks (to the extent applicable):

  • Verification of the requesting person’s institutional email domain / official contact information,
  • Verification of signature/stamp/e-signature,
  • Confirmation via callback through the institution’s official channels,
  • Review of the request content for procedure and scope.

Fraudulent or unidentified requests carry high risk for user safety and data security. Therefore, WIN may not share data until verification steps are completed.

4.4 Response times (target approach)

Response times may vary depending on the scope of the request, technical availability, and completeness of the request. General target approach:

  • Complete standard requests: The goal is to complete the initial assessment and begin a response within 5 business days.
  • Preservation requests: Processed as soon as possible after verification.
  • Emergency requests: Answered on a priority basis if verification and urgency criteria are met.

Note: Requesting additional information for incomplete/vague requests may extend response times.

Section 5: Minimum information required in a request

This section lists the minimum fields required for a request to be processed and good practice recommendations.

5.1 Minimum fields (checklist)

FieldWhy is it required?
Requesting institution/authority and unitFor authority/verification.
Name-surname and title of the requesting personFor communication and authority confirmation.
Official contact information (phone/email)For verification and follow-up.
File/document number and dateFor record-keeping and traceability.
Legal basis (statute article/type of decision, etc.)For lawfulness assessment.
Purpose of the request (summary)For scope/proportionality assessment.
Requested data categoriesFor data minimization and correct output.
Time rangeTo prevent overly broad scope and enable correct filtering.
Account/content identifiersTo identify the correct account.
Confidentiality/notification restrictionFor assessment of user notification.
Delivery method (preference)For secure transmission planning.

5.2 Account/content identifiers (examples)

For requests to be handled quickly and correctly, at least one of the following should be provided where possible:

  • In-app user ID / account number: 12345678 (Example)
  • Registered phone number or email of the user
  • Profile username (handle) or in-app link/screenshot of the profile
  • Content ID / message ID / report ID for the relevant content
⚠️

Queries can be run using all elements necessary to identify a person (ID, mobile phone, email, etc.), and there is no limitation in this regard. However, specific identifiers (ID/URL) reduce the risk of incorrect matching.

5.3 Request template (suggestion)

Suggested request template (copy‑paste)
  • Institution/Authority: …
  • Unit: …
  • Requesting person (Name‑Surname / Title): …
  • Contact (phone / official e‑mail): …
  • File/Document No.: …
  • Date: …
  • Legal Basis: …
  • Purpose of the request (summary): …
  • Request type: (information request / preservation / emergency / content removal, etc.)
  • Account identifiers: (user ID / phone / e‑mail / handle / content ID)
  • Requested data categories: (account info / log / content / payment, etc.)
  • Time range: …
  • Confidentiality/notification restriction: …
  • Delivery preference (encrypted email / secure link / KEP, etc.): …

Section 6: WIN’s end-to-end request assessment and response process

This section explains step by step the operational and legal steps WIN follows after receiving a public request (record → verification → scope → output → secure transmission → closure).

Step 1: Receipt and recording of the request

When the request is received through an official channel, a unique “request record” is created; file/document number, date, requesting institution, and scope are noted.

Step 2: Identity and authority verification

The requesting person’s institutional identity and authority are verified. If necessary, follow-up/confirmation is made through official channels.

Step 3: Assessment of legal basis and scope

The legal basis of the request, data categories, time range, and account identifiers are reviewed. For overly broad/vague requests, additional information is requested or scope is narrowed.

Step 4: Data extraction and minimization

Only data falling within the request scope is extracted. Data relating to third parties and unnecessary fields are filtered/masked where possible.

Step 5: Secure transmission

The response is transmitted to the requesting authority by secure means (e.g., encrypted file, secure link, KEP, etc.). The transmission channel and delivery confirmation are recorded.

Step 6: Closure, retention, and reporting

The request record is closed; response files and transaction logs are retained in accordance with relevant retention policies. Statistical data is generated for transparency reporting where appropriate.

Section 7: Request types and response scope

This section explains common request types and, for each type, (i) minimum conditions WIN expects, (ii) typical data outputs, and (iii) limitations.

7.1 Standard information requests (account/data/transaction records)

WIN may share data available in its systems within procedurally proper and legally valid requests. Example data types:

  • Account information: registration date, verification status, profile/settings information, Device ID and session (login/last seen) records,
  • Content data: profile images/texts, report attachments; message content stored on Google Firebase (messages are not end-to-end encrypted),
  • Technical data: login/logout times, IP/session information, error/activity logs obtained via automated infrastructure services such as Firebase,
  • Purchase/subscription: App Store / Google Play transaction records and subscription status information.

Note: WIN can provide only data that exists in its own systems (server-side login/last seen, etc.) and is technically accessible.

7.2 Traffic data / log requests (Law No. 5651 context)

WIN handles traffic data/log records generated during provision of the service within the obligations foreseen under Law No. 5651 and related secondary legislation.

  • The request should, where possible, be limited to a specific account/session or a specific time range. - Purpose and scope should be clear (e.g., “login IP records for user ID Y in date range X”).

7.3 Preservation (preservation / legal hold) requests

Where WIN receives a procedurally proper “preservation” request:

  • it may apply temporary preservation to prevent deletion of data with respect to the relevant account/content,
  • during this preservation, it may separate the data from the normal retention flow.
  • File/document no., date, and legal basis - Account/content identifiers (user ID, phone/e‑mail, content ID, etc.) - Data categories to be preserved (e.g., log, message, profile content) - Time range (where possible) - Purpose of the request (summary) and, if any, confidentiality/notification restriction - Preservation duration and extension instruction/method
⚠️

A preservation request means data is retained; a separate legally valid disclosure/delivery request is required for data to be shared.

  • Preservation period: The standard preservation period is applied as a minimum of 90 days. Extension requests must be submitted in official writing before the period ends.

7.4 Emergency requests (risk to life / imminent harm)

Exceptionally, where permitted by law and after necessary verification, WIN may share limited data to protect a person’s safety or reduce imminent life-threatening risk.

⚠️

Emergency requests are not automatically accepted even if labeled “emergency.” The request is expected to reasonably demonstrate that: - it involves a concrete and imminent risk, - delay could cause serious harm, - the requester is a competent authority.

  • Nature of the emergency (e.g., missing person, suicide risk, serious threat of violence) and why it is “time-critical” - Requesting authority/personnel information (identity, title, unit) + official contact for callback - File/document no. and legal basis/framework (where possible) - Account/incident identifiers (user ID, phone/e‑mail, content ID, etc.) - Requested data categories and time range - If any, confidentiality/notification restriction or “danger” justification
⚠️

Limited sharing within an emergency framework should be supported, as soon as possible, by procedurally proper official writing/decision. WIN may request additional information or official documents after an emergency response.

7.5 Content removal / access blocking / account measures

In situations involving illegal content or security risks:

  • WIN may apply content/account restrictions under its own contractual rules (see Community Guidelines and Terms of Use),
  • depending on geographic targeting, orders of competent authorities (e.g., orders under the DSA in the EU) are assessed separately.

Public authorities may use the form on the Illegal Content Notice Form page to submit illegal content notices in a standard and traceable manner; the form contains fields aligned with Law No. 5651, the TCK, and the DSA.

Section 8: Categories of data that may be shared (sample inventory)

This section lists, by way of example, data categories that may arise in law enforcement requests and general limits observed in sharing.

Data categoryExample contentNotes / sensitivity
Account identifiersUser ID, registration date, verification statusDepending on request scope.
Profile dataProfile photo, profile text, preference fieldsMay be user-generated content.
Messaging dataMessage content, attachmentsStored on Google Firebase; not end-to-end encrypted.
Report/complaint dataUser reports, screenshotsMay contain third-party data; minimization is important.
Technical/session dataDevice ID, IP, session login/last seen time, error logsLast seen data is on the server; technical error logs are stored on Firebase/SDK infrastructure.
Location dataApproximate or precise (GPS) location informationThe app is location-based (finding the nearest user). Retained for the legal retention periods foreseen in legislation.
Payment/subscriptionTransaction ID, package type, periodStore records and commercial evidence retention periods (10 years) apply.
Verification dataSelfie photos, verification result (success/fail)Photo verification is performed with Google Gemini 2.5 Flash. Raw selfie/profile photos are stored on Firebase. WIN accesses the verification result (success/fail) through this process.
⚠️
  • User passwords, secret keys, or authentication secrets. - Raw data held by third parties that WIN does not technically possess (only within WIN’s accessible roles as data controller/processor). - Requests such as real-time monitoring/listening that are not within WIN’s service scope or not legally/technically supported.

Section 9: User notification and transparency

This section explains WIN’s approach to user notification and its connection to transparency reporting.

9.1 User notification and responsibility

Notifying the user in the context of government/law enforcement requests is not WIN’s responsibility or obligation. Prosecutor’s office and law enforcement investigations are confidential as a rule. Therefore, there is no obligation to notify users regarding data sharing carried out pursuant to procedurally proper requests.

9.2 Situations where notification is not made or is delayed

WIN may not notify or may delay notification in the following situations:

  • Where there is a legal confidentiality obligation or notification prohibition,
  • Where notification could compromise an investigation,
  • Where it would create a risk to a person’s safety.

9.3 Transparency reports

WIN aims to publish statistics regarding public authority requests and content actions periodically to the extent appropriate. See Transparency Reports.

Section 10: International requests and cross-border data

This section explains the general approach to requests from foreign authorities and the cross-border data transfer context.

10.1 Requests from foreign authorities

When assessing requests from foreign authorities outside Turkiye, WIN considers whether the request has been transmitted in a procedurally proper manner through the Republic Prosecutor’s Office of the relevant country or an equivalent official/judicial institution. Such applications are responded to only through authorized official channels.

10.2 Orders under the EU (DSA)

Where services are provided in the EU, for orders of EU authorities and contact points, see the DSA Compliance Page.

10.3 Cross-border data transfer and hosting

In WIN’s technical infrastructure, which countries host data and which suppliers are used may affect transfer and response processes. In Turkiye, the KVKK and Regulation on the Transfer of Personal Data Abroad framework is also considered for cross-border transfer scenarios. For the general approach on these matters, see the Privacy Policy.

Section 11: Security, record-keeping, and audit

This section explains how requests and responses are managed securely, recorded, and kept ready for audit.

11.1 Access and authorization

Law enforcement requests are processed only under the control of legal/compliance and security teams authorized on this topic. Accesses are recorded.

11.2 Secure transmission

While the transmission method for responses has not yet been finalized as a single technical standard, transmission is principally carried out by taking necessary security measures via encrypted files, secure links, or notification systems.

11.3 Retention of records (request records)

Request records and response metadata (e.g., date, scope, delivery method) are retained for the period appropriate under relevant retention policies for accountability and audit purposes.

Section 12: Changes and contact

This section explains how the guide is updated and the path public authorities should follow for contact.

WIN may update this guide due to legislative changes, technical architecture changes, or operational needs. The current version is published in the in-app “Legal” section and at whoisnextapp.com (opens in a new tab).

Public authorities should submit their requests through the official channels stated in Section 4.

Intellectual Property PolicySecurity Vulnerability Disclosure