Account Deletion
Account deletion in Breeze is a request-and-review process with a 30-day grace period, not an immediate erase. A user submits a deletion request; an administrator reviews it; a back-office process completes the deletion after approval. This gives organisations time to intervene and leaves a complete audit trail.
Requesting deletion (user)
Section titled “Requesting deletion (user)”A signed-in user requests deletion of their own account from the dashboard account settings.
-
Open Account → Delete account.
-
Re-enter the account password and complete the multi-factor challenge (MFA is required for this action). Optionally provide a reason.
-
Submit. Breeze creates a deletion request with status
pendingand a process-by date 30 days out, and emails the organisation’s administrators a review link.
Password re-entry is rate limited (5 attempts per 5 minutes). Only one pending request per user is allowed at a time — submitting again while one is pending is rejected.
After submission the user sees the process-by date and can cancel any time before it:
- Cancel: open Account → Delete account again and cancel the pending request. The request moves to
cancelledand the account stays active.
Reviewing requests (administrator)
Section titled “Reviewing requests (administrator)”Administrators with the users:write permission review pending requests at Admin → Account deletion requests. Approving and rejecting both require the administrator to pass an MFA challenge.
| Decision | Effect |
|---|---|
| Approve | Request moves to processing. A back-office process performs the actual deletion and moves it to completed. |
| Reject | Request moves to cancelled. A note explaining the decision is required and is emailed to the user. The account stays active. |
The queue can be filtered by status (pending, processing, completed, cancelled), and a pending-count endpoint backs the admin badge.
Status lifecycle
Section titled “Status lifecycle”| Status | Meaning |
|---|---|
pending | Submitted by the user, awaiting administrator review. Cancellable by the user. |
processing | Approved by an administrator; queued for back-office deletion. |
completed | Deletion finished. |
cancelled | Cancelled by the user, or rejected by an administrator (with a required note). |
API reference
Section titled “API reference”User endpoints
Section titled “User endpoints”Mounted under /auth. All require authentication; submission also requires MFA.
| Method | Path | Description |
|---|---|---|
GET | /auth/account-deletion-request | Return the user’s current pending request, if any |
POST | /auth/account-deletion-request | Submit a request. Body { "password": "...", "reason": "..."? }. Re-verifies password; requires MFA |
PATCH | /auth/account-deletion-request/:id | Cancel a pending request. Body { "status": "cancelled" } |
Administrator endpoints
Section titled “Administrator endpoints”Mounted under /admin. Require the users:write permission; the process action also requires MFA.
| Method | Path | Description |
|---|---|---|
GET | /admin/account-deletion-requests | List requests (filter by status) |
GET | /admin/account-deletion-requests/pending-count | Count of pending requests |
GET | /admin/account-deletion-requests/:id | Get a single request |
POST | /admin/account-deletion-requests/:id/process | Decide a request. Body { "action": "approve" } or { "action": "reject", "adminNote": "..." } (note required when rejecting) |
Audit trail
Section titled “Audit trail”Deletion activity is recorded in the audit log. User actions are logged as user.account_deletion.requested (including denied attempts, e.g. an invalid password) and user.account_deletion.cancelled. Administrator approve/reject decisions are recorded against the administrator who made them, along with the decision note.
Schema: account_deletion_requests
Section titled “Schema: account_deletion_requests”| Column | Type | Description |
|---|---|---|
id | uuid | Primary key |
user_id | uuid | The requesting user (references users.id, cascade on user delete) |
org_id | uuid | Denormalised tenant attribution; null for partner-level staff |
reason | text | Optional user-supplied reason |
status | enum | pending, processing, completed, or cancelled |
requested_at | timestamp | When the request was submitted |
process_by | timestamp | Submission time + 30 days |
processed_at | timestamp | When an administrator decided |
processed_by | uuid | The deciding administrator (references users.id) |
admin_note | text | Administrator note (required on rejection) |
created_at / updated_at | timestamp | Row timestamps |
A partial unique index enforces at most one pending request per user.