GDPR Article 17 ('right to erasure') is enforced in-app — no support ticket needed.
Delete your account
/account → Delete account. Your account enters a 30-day grace window during which you can reactivate by signing back in.
What gets hard-purged after 30 days
- Your user row + every customer_membership pointing at your user_id.
- Any workspace whose only owner was you, plus every row referencing those workspaces (cascade DELETE).
- Source connections + their encrypted OAuth tokens.
- Recommendation lifecycle history attributable to you.
What survives
The hash-chained audit log (SOC 2 CC7.2 requires append-only retention for 12 months) and aggregate billing records that don't carry PII.
If you need a Data Subject Access Request (DSAR) instead of deletion, email privacy@growpad.io — we respond within the GDPR-mandated 30 days.