Security & Privacy

Account Deletion & Privacy

GDPR/CCPA controls in BookYourPTO — delete your account or organization with an emailed code, export your data, opt out of third-party syncs, and understand anonymization.

Account Deletion & Privacy

BookYourPTO supports the data-subject rights required by GDPR and CCPA, entirely in-app. You can delete your account, export your data, and opt out of third-party syncs without filing a support ticket. Executives can delete the entire organization. This page explains each flow, what actually happens to your data, and the guardrails.

You'll find these controls in Profile → Danger Zone on mobile and in Settings on desktop.

The emailed confirmation code

Destructive deletions are gated by a one-time 6-digit code sent to the account owner's email.

POST /api/privacy/request-deletion-code
PropertyValue
Code6 digits, single-use
ValidityHeld for a limited time, then expires
DeliveryEmailed to the account owner; the recipient address is masked in the API response
Rate limitStrictly rate limited
Failure modeIf a code can't be issued, no deletion can proceed
Safe by design. If the system can't reliably prove it's really you, it refuses to delete anything. No code means no deletion — a temporary outage can never cause an accidental wipe.

Deleting your organization (Executive only)

DELETE /api/organization

An Executive can delete their own organization with a valid confirmation code. This:

  1. Cancels the Stripe subscription,
  2. Writes a final audit log entry, then
  3. Cascade-deletes the organization and all of its data.
This is irreversible. Deleting the organization removes every user, leave record, expense, document, and setting. Export anything you need first.

Deleting your own account

POST /api/privacy/data-deletion
{ "code": "123456" }

Everyone who isn't deleting the whole org uses this flow with a valid emailed code. Self-deletion is rate limited.

Admins deleting other users

Administrators and Executives can delete another user by passing a userIdno code is required in that case, because they're acting as an authenticated administrator.

You cannot delete the last administrator. Transfer ownership / promote another admin first, or the request is rejected.

What "delete" actually does — anonymization

To preserve the integrity of organization-wide reporting, deletion anonymizes rather than hard-deletes:

DataWhat happens
NameReplaced with "Deleted User"
EmailScrambled
PII & secretsNulled
AccountDeactivated (locked out on the next request)
Refresh tokens, trusted devices, notifications, chat, sign-in logs, token logsDeleted
Leave recordsKept, but reasons/notes are cleared (they may contain medical information)
Audit logsKept, with the actor anonymized to "Deleted User"

A deletion notification email goes to the user, their department head, and the org's admins/executives.

Data export (GDPR)

POST /api/privacy/data-export

Returns your full data as a downloadable JSON file. Rate limited.

Opt out of data selling/sharing (CCPA)

POST /api/privacy/opt-out

Excludes you from CRM and third-party syncs.

Troubleshooting

ErrorCauseFix
6-digit confirmation code requiredYou started a delete without a code.Tap "Send code", then enter the emailed 6-digit code.
Invalid or expired codeCode was wrong, already used, or expired.Request a fresh code and try again.
No email arrivedRate limit reached or a transient mail issue.Wait a short while and resend; if a code can't be issued, deletion won't proceed.
Cannot delete the last administratorYou're the only admin.Promote/transfer to another admin first, then delete.
Self-delete rejectedToo many self-deletion attempts in a short span.Wait a while and retry.
Export rejectedToo many exports in a short span.Wait and retry.