Overview
You have the right to erase your data under UK GDPR Article 17. Deletion is comprehensive — we propagate the request through every sub-processor that holds your personal data — but a small set of audit and legal records survive in pseudonymised form. This page spells out exactly what.
The end-to-end self-serve erasure workflow is being delivered in Phase 3 of our compliance programme. In the interim, deletion is handled within 30 days of an emailed request to dpo@mechasite.com.
How to delete your account
Email dpo@mechasite.com from the email address on your account, with subject “Account deletion request”. We will:
- Verify your identity via a confirmation email + (where MFA is enabled) an MFA challenge.
- Confirm in writing what we’re about to delete and what we need to retain (with the legal basis for each category).
- If you are the sole owner of an organisation with active sites, present the transfer-or-terminate options described in Section 5 below.
- Schedule deletion. We honour a 14-day grace period (see Section 7) before the irreversible operations begin.
- Issue an erasure certificate after deletion completes (see Section 8).
What is deleted immediately
- Your name, email address, and profile picture.
- Your password hash and MFA secrets.
- OAuth identity bindings (Google, GitHub, etc.).
- Your active sessions and API keys.
- Free-text content you submitted (support tickets, feedback, complaint descriptions where you are the complainant).
- Any sites you own that are not transferred to another organisation owner — content, drafts, generated artefacts, deployment records.
- Cached representations across our infrastructure (Cloudflare R2 artefacts, Sentry user identifiers, Statsig user mapping).
What we retain (and why)
We pseudonymise rather than delete the following because we have a legal obligation or overriding legitimate interest to retain them:
| Category | Period | Lawful basis |
|---|---|---|
| VAT-compliant invoices | 7 years | Legal obligation (HMRC). Pseudonymised — only legal-name and total are retained. |
| Authentication audit log | 6 years | Legal obligation (Art. 30 ROPA support) + legitimate interest (security audit). User identifier replaced with deterministic hash; row preserved. |
| Consent records | 6 years | CNIL standard for demonstrability of consent collection. Pseudonymised on erasure. |
| Breach incident records (if you were affected) | 7 years (full); 2 years for direct identifiers | Legal obligation + legitimate interest. Direct identifiers pseudonymised after 2 years. |
| Complaints you raised against us | 6 years | ICO limitation period. Email pseudonymised on erasure. |
| Third-party complaint references (where you appear as a party but are not the complainant) | 6 years | Article 15(4) — third-party rights override your erasure request for content about you in another data subject’s complaint. |
| Policy acceptance log | 6 years | Demonstrability of policy acceptance (SOC 2 CC2.3). Pseudonymised on erasure. |
If you are the only owner of an organisation
Mecha Site organisations require at least one owner. If you delete your account while you are the sole owner of an organisation that still has active sites or other members, we will offer you three options:
- Transfer ownership to another existing member of the organisation. Their consent is required; we’ll email them to confirm.
- Terminate the organisation alongside your account — all sites are decommissioned, billing is cancelled, and any invoiced amounts already paid are not refunded except as required by law.
- Pause your deletion request while you arrange transfer (we’ll hold the request open for up to 30 days).
Sub-processor cleanup
We propagate erasure to every sub-processor that holds personal data about you. The current set:
- Stripe — customer object pseudonymised; invoices retained per HMRC obligation under Stripe Connect terms.
- Sentry — user identifier removed from all stored events; replay recordings purged.
- Statsig — userID mapping removed; aggregate statistics retained as anonymous.
- Cloudflare R2 — owned artefacts purged; cached edge content invalidated.
- Resend — email delivery records pseudonymised.
- GitHub — repositories created during deployment archived or deleted per your DPA election.
The full sub-processor list lives at /legal/sub-processors.
Reversibility window
We hold your deletion request for 14 days before the irreversible operations begin. During that window you can cancel by replying to our confirmation email. After 14 days the deletion proceeds as a saga — once a sub-processor step has executed, that part cannot be reversed.
Erasure certificate
When deletion completes, we issue an erasure certificate by email listing:
- The categories of data deleted, with timestamps.
- The categories of data pseudonymised, with the lawful basis for retention and the period.
- Each sub-processor confirmation (where the sub-processor returns one).
- A reference number you can quote in any later complaint or regulator query.