Account Deletion & Privacy
Account Deletion & Privacy
BookYourPTO supports the data-subject rights required by GDPR and CCPA, entirely in-app. You can delete your account, export your data, and opt out of third-party syncs without filing a support ticket. Executives can delete the entire organization. This page explains each flow, what actually happens to your data, and the guardrails.
You'll find these controls in Profile → Danger Zone on mobile and in Settings on desktop.
The emailed confirmation code
Destructive deletions are gated by a one-time 6-digit code sent to the account owner's email.
POST /api/privacy/request-deletion-code
| Property | Value |
|---|---|
| Code | 6 digits, single-use |
| Validity | Held for a limited time, then expires |
| Delivery | Emailed to the account owner; the recipient address is masked in the API response |
| Rate limit | Strictly rate limited |
| Failure mode | If a code can't be issued, no deletion can proceed |
Deleting your organization (Executive only)
DELETE /api/organization
An Executive can delete their own organization with a valid confirmation code. This:
- Cancels the Stripe subscription,
- Writes a final audit log entry, then
- Cascade-deletes the organization and all of its data.
Deleting your own account
POST /api/privacy/data-deletion
{ "code": "123456" }
Everyone who isn't deleting the whole org uses this flow with a valid emailed code. Self-deletion is rate limited.
Admins deleting other users
Administrators and Executives can delete another user by passing a userId — no code is required in that case, because they're acting as an authenticated administrator.
What "delete" actually does — anonymization
To preserve the integrity of organization-wide reporting, deletion anonymizes rather than hard-deletes:
| Data | What happens |
|---|---|
| Name | Replaced with "Deleted User" |
| Scrambled | |
| PII & secrets | Nulled |
| Account | Deactivated (locked out on the next request) |
| Refresh tokens, trusted devices, notifications, chat, sign-in logs, token logs | Deleted |
| Leave records | Kept, but reasons/notes are cleared (they may contain medical information) |
| Audit logs | Kept, with the actor anonymized to "Deleted User" |
A deletion notification email goes to the user, their department head, and the org's admins/executives.
Data export (GDPR)
POST /api/privacy/data-export
Returns your full data as a downloadable JSON file. Rate limited.
Opt out of data selling/sharing (CCPA)
POST /api/privacy/opt-out
Excludes you from CRM and third-party syncs.
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
6-digit confirmation code required | You started a delete without a code. | Tap "Send code", then enter the emailed 6-digit code. |
Invalid or expired code | Code was wrong, already used, or expired. | Request a fresh code and try again. |
| No email arrived | Rate limit reached or a transient mail issue. | Wait a short while and resend; if a code can't be issued, deletion won't proceed. |
Cannot delete the last administrator | You're the only admin. | Promote/transfer to another admin first, then delete. |
| Self-delete rejected | Too many self-deletion attempts in a short span. | Wait a while and retry. |
| Export rejected | Too many exports in a short span. | Wait and retry. |
Audit & Monitoring
Audit logs, sign-in logs, unknown-login alerts, and log retention in BookYourPTO — what's recorded, who can see it, and how long it's kept.
Roles & Permissions
The four BookYourPTO roles — Employee, Department Head, Administrator, Executive — what each can do, the isApprover flag, and department scoping.