GDPR Article 17 gives you the right to have your personal data erased. Zenovay implements this as a self-service flow you can run in under a minute — no support ticket needed, no waiting period.
Self-service deletion (recommended)
- Sign in to app.zenovay.com.
- Go to Profile → Account → Delete Account.
- Read the confirmation panel, which lists what will be deleted.
- Type your email to confirm.
- Click Delete my account permanently.
You'll be signed out immediately and receive a confirmation email within ~30 seconds.
What gets deleted
The deletion runs as a cascade across every system that holds your personal data:
| System | What's deleted |
|---|---|
| Supabase auth | User row, sessions, OAuth identities |
| Supabase tables | Profile, websites you owned, team memberships, audit-log entries you authored |
| Stripe | Customer record, active subscription cancelled |
| Cloudflare KV | Sessions, security state, rate-limit counters, MCP quota |
| Cloudflare R2 | Heatmap screenshots for websites you owned |
| Resend | Marketing list memberships |
For owned websites that the deletion takes down, all visitor analytics for those sites are erased too — visitors, events, sessions, replays, heatmaps. If you're a team member of a website owned by someone else, deleting your account removes only your membership; the website's data stays under the owner.
Before you delete
Two things to consider:
- Export your data first. Article 20 (data portability) is separate from Article 17. If you want a copy of your personal data, run Profile → Account → Export My Data before deletion. See Article 20 export.
- Cancel paid subscriptions — the deletion auto-cancels any active Stripe subscription. You won't be billed past the deletion date. If you've prepaid annually, the unused portion is not automatically refunded; email billing@zenovay.com if you need a prorated refund.
What if I'm in a team I don't own?
Deleting your account removes:
- Your team membership (you no longer have access).
- Your audit-log entries authored by you (mapped to a tombstone "deleted user" reference).
- Any MFA / WebAuthn devices you registered.
The team itself, the websites the team owns, and other members are unaffected. The team owner can re-invite you with a fresh account if you ever return.
Timeline
- Immediate: sign-out, profile + sessions purged.
- Within 30 seconds: Stripe customer cancelled, KV/R2 cleanup begins.
- Within 30 minutes: all cascades complete. Confirmation email sent.
- Within 30 days: any data-warehouse / backup snapshots referencing your records are purged on their normal rotation.
What about already-shared analytics?
If you were a paying customer and had public dashboards or shareable links pointing to your data, those URLs return 404 immediately after deletion. Anyone who already had screenshots or local copies still has those — there's nothing we can do about that.
I can't sign in to delete
Email privacy@zenovay.com from the address you registered with. Include:
- "I am exercising my GDPR Article 17 right to erasure."
- A scan or photo of a government-issued ID with the document number redacted — we only need to verify name/email match. Discard the redaction copy after we confirm.
We respond within 30 days (the GDPR-mandated window). Most cases close within 5 working days.
Plan applicability
The right applies on every plan including Free. Deletion is free of charge — we cannot legally charge for an Article 17 request.