Recipe
Delete account flow
A privacy-first, irreversible account termination sequence with grace-period confirmation and audit trail.
States
- idle — user browses settings, no action taken
- confirm — modal with consequences, re-auth required
- pending — 72h grace period, email with undo link sent
- deleted — data scrubbed, license revoked, audit log written
Transitions
| From | Trigger | To |
|---|---|---|
| idle | User clicks "Delete account" | confirm |
| confirm | Re-auth succeeds + confirm checkbox | pending |
| pending | 72h elapsed OR user clicks undo | deleted | idle |
Edge cases
- Active subscription — cancel Stripe sub before deletion
- License in use — revoke KeyAuth key immediately on confirm
- Undo during grace — restore full state, log reversal
- Admin override — support tool can force-delete with reason
Audit
Every transition writes to an append-only audit log: user ID, timestamp, from-state, to-state, IP, and trigger source. Logs retained for 90 days post-deletion per compliance policy.