Cookie banners have trained visitors to click "Accept" without thinking — and they have trained a lot of businesses to believe a banner equals compliance. It doesn't. Most real KVKK and GDPR exposure doesn't come from a missing consent dialog; it comes from the analytics tag, the ad pixel, and the tag manager that were already firing before the visitor made a choice, quietly sending personal data to Google, Meta, or a server in another country. That gap between "we have a cookie banner" and "our site actually respects the choice it asks for" is invisible unless you go looking for it with a browser, not a checklist. PrivaScan exists to make that gap visible, timestamped, and fixable.

PrivaScan is a KVKK & GDPR consent-compliance scanner built on Laravel. Point it at a URL, and it loads the page in a real browser, records every tracker, cookie, and cross-border data transfer that runs before any consent is given, and turns the result into a severity-ranked, developer-actionable report — plus continuous monitoring and a public trust badge so the finding stays current.

Honesty First: We Sell Evidence, Not a Verdict

The single most important design decision in PrivaScan is what it refuses to say. It will never tell you that you are "KVKK compliant" or "GDPR certified" — no automated scan of one or a few pages can make that claim honestly, and any tool that does is selling you a false sense of safety. What PrivaScan sells instead is evidence: a documented, timestamped, independently verifiable record of exactly which trackers fired before consent, which regions your visitors' data was sent to, and what a developer needs to change to fix it. Every report says plainly that detection is automated and scoped to the pages tested, and that it is not legal advice. That's not a disclaimer buried in fine print — it's the actual sales pitch: proof beats a promise.

How the Scan Works

Under the hood, PrivaScan drives a real headless Chrome instance directly from PHP over the Chrome DevTools Protocol — no clicking, no simulated consent, just what the page does by default. It listens to every network request the page fires on load, reads every cookie set (including HttpOnly cookies that client-side JavaScript can't even see), and inspects localStorage and sessionStorage. Each third-party request is matched against a hand-maintained database of known vendors — Google Analytics, Google Tag Manager, Meta Pixel, Hotjar, Microsoft Clarity, TikTok Pixel, Yandex Metrica and dozens more — each tagged with its category, purpose, home region, and a default severity. From there PrivaScan can tell you, precisely: which of those trackers count as pre-consent analytics, advertising, social-pixel, session-recording, or tag-manager activity; which regions (the US, Russia, China, the EU) your visitors' data is actually flowing to; and whether it can detect a real consent-management platform on the page at all. The result is an A–F risk grade and a report mapped directly to the relevant KVKK articles and GDPR/ePrivacy provisions — not a vague "issues found" count.

Built the Hard Way, on Purpose

PrivaScan's engineering story is a lesson learned the expensive way. An earlier version of this idea was built as a separate Node.js microservice — and it was abandoned, because a Laravel-and-PHP team couldn't own code they didn't fully understand, in a runtime they didn't maintain day to day. PrivaScan is the correction: a single Laravel monolith, with no separate services, runtimes, or deploys. The scanning engine, the web dashboard, the CLI, the badge — all PHP, all one deploy. The one external dependency is the Chrome binary itself, driven over a protocol, never hand-rolled as a side-service. A small team that can read, debug, and ship every line of its own product beats a fleet of microservices in three languages that nobody fully owns.

Beyond the Cookie Banner: Cross-Border Transfers and Real Fixes

A pre-consent tracker is only half the story — where the data goes matters just as much under both KVKK Article 9 and GDPR Chapter V. PrivaScan maps every detected vendor to the region its data actually lands in, so a report doesn't just say "Yandex Metrica found" — it says a cross-border transfer to Russia is happening before consent, with the specific legal article it touches. And because a finding is only useful if someone can act on it, every category in the report ships with concrete developer remediation: for the most common case, that means wiring up Google Consent Mode v2 so `analytics_storage` and `ad_storage` default to denied and only flip to granted after an explicit opt-in — not vague advice to "review your cookie policy."

Always-On: Monitoring and a Trust Badge

A site's tracker footprint doesn't stay still — a new marketing tag, an agency's fresh pixel, an A/B testing tool someone bolted on last week can all quietly reintroduce the exact problem you just fixed. PrivaScan re-scans monitored sites on a schedule, diffs the result tracker-by-tracker against the previous scan, and emails you the moment something new appears or something you fixed stays fixed. The visible result is a public trust badge for your footer — a live, self-updating attestation of your site's consent posture that degrades honestly if monitoring lapses, rather than freezing at a launch-day snapshot nobody checks again.

Where It's Going

PrivaScan ships with a free single-page scan as an open front door, paid tiers that add full-site crawling and daily monitoring, and one-off products for teams that want a one-time deep audit or a human privacy reviewer's sign-off rather than a subscription. From here the roadmap runs on the same evidence-first thread as the rest of the Talivio portfolio: a growing library of public, per-tracker remediation guides — "how to stop Google Tag Manager from firing before consent," "what a cross-border transfer to Russia actually means under KVKK" — so the fix is one search away from the problem. You can run a free scan now at privascan.talivio.com.

Why This Matters

The hard part of a consent-compliance product isn't loading a page in Chrome — that part is almost mechanical. The hard part is resisting the temptation to sell certainty you can't back up, and instead building something that tells a business exactly what a real browser saw, maps it to the law it touches, hands a developer a fix instead of a lecture, and keeps checking after launch instead of stopping at the first clean report. PrivaScan's answer is a real-browser scan of what actually happens before consent, delivered by one maintainable Laravel app, kept honest by continuous monitoring and a public badge. It doesn't tell you that you're safe. It tells you exactly where you stand — and keeps telling you.