Account Deletion Flow
Self-serve account termination with a 72-hour grace window, email confirmation, and cryptographic proof of deletion. No support ticket required.
1. Initiate
User navigates to /account/danger and clicks “Delete my account.” A confirmation modal collects the account password for re-authentication.
2. Verify
A time-limited token is emailed to the account’s verified address. The token is single-use, bound to the session, and expires in 15 minutes.
3. Grace Period
After token confirmation, the account enters a 72-hour “pending deletion” state. The user can cancel at any time during this window by logging in and clicking “Restore.”
4. Finalize
Once the grace period expires, a background job hard-deletes PII, revokes all active sessions, and writes an immutable deletion receipt to the audit log. A final confirmation email is sent.
5. Proof
The deletion receipt includes a SHA-256 hash of the user ID and timestamp, signed with the service Ed25519 key. Users can independently verify that their data was purged.
Edge cases handled
- Active subscription — canceled before deletion proceeds
- Concurrent restore + delete — idempotent state machine
- Token replay — single-use with server-side nonce
- Email bounce — retry with exponential backoff (3 attempts)