| UI or UX | UI + UX - Account-level closure and associated personal data deletion workflow | UI + UX - Final destructive commit review | UI + UX - Exact target phrase gate before severe commit | UI + UX - User or administrator workflow for selecting, preparing, securing, downloading, transferring, and verifying data export packages | UI + UX - Dedicated user or app configuration management surface | UI + UX - Durable deleted-object recovery |
| UI guidance | Render delete account as a discoverable account-settings workflow that names the signed-in account, affected services, associated data, retained data, subscriptions, linked sign-in methods, recovery window, and final deletion status. | Render a destructive confirmation after the user invokes a destructive command, with a title and final action button that repeat the destructive verb and target, such as Delete workspace or Cancel subscription. | Render a visible non-secret text field inside a destructive or high-consequence confirmation, labelled with the exact target phrase the user must type before the final action enables. | Render data export as a job-based workflow with export scope, data categories, format, destination, estimated size, preparation status, expiry, security requirements, and download or transfer actions. | Render settings management as a durable configuration surface with a clear Settings or Preferences entry point, grouped categories, current values, setting descriptions, ownership or scope labels, dependencies, save or immediate-apply behavior, status feedback, search or section navigation for larger sets, and reset or restore defaults where appropriate. | Show deleted objects in a dedicated trash, recycle bin, deleted-files, or recoverable-items surface with object name, type, original location, deletion date, deleted-by actor, and remaining recovery window. |
| UX guidance | Use delete account when users need to close an identity-bearing account and remove or request removal of associated personal, profile, authentication, app, subscription, and service data. | Use destructive action confirmation to create one informed stop before permanent or externally visible loss, not to slow every routine cleanup action. | Use typed confirmation only when reproducing the target phrase meaningfully reduces severe wrong-object or wrong-scope mistakes, such as deleting a repository, project, account, workspace, production dataset, or root credential. | Use data export when users need a portable copy of personal, account, workspace, product, activity, or organization data for reuse, compliance, migration, backup, or review. | Use settings management when users need to review and change persistent app, account, workspace, notification, privacy, display, integration, or system behavior outside the immediate task flow. | Use restore from trash when users may discover a mistaken deletion after leaving the original workflow and need a durable way to recover the object. |
| Good UI | An account settings page shows Delete account for maya.chen@example.com, lists profile, projects, messages, connected apps, subscriptions, and retained invoices, offers Download data first, then schedules deletion with a 14-day cancel window. | Delete Payments project? lists 4 dashboards, 12 saved views, 3 webhooks, and 8 shared links, offers Keep project, and labels the danger action Delete Payments project. | Delete repository acme/payments-api? requires typing acme/payments-api, shows a mismatch until the exact path matches, and then enables Delete repository. | A privacy dashboard lets a user choose activity, profile, files, messages, and billing categories, shows JSON or CSV availability, requires reauthentication, creates archive EXP-2048, then shows download expiry and checksum. | A notification settings page groups channels, quiet hours, digest frequency, and workspace scope; each row shows current value, effect, dependency, and whether changes save immediately. | A Deleted files table lists Quarterly budget.xlsx with original folder Finance/Q2, deleted yesterday by Maya, 29 days left, and a Restore to Finance/Q2 action. |
| Bad UI | A page offers only Deactivate account, tells users to email support, and never says whether profile data, authentication records, subscriptions, or linked apps are deleted. | A modal says Are you sure? with OK and Cancel after the user clicks Delete, without naming the project or what disappears. | A dialog asks users to type YES before deleting a workspace, so the text does not verify the target object. | A button says Export all data but does not say which services, formats, accounts, dates, or unavailable records are included. | A page called Settings mixes billing invoices, destructive account deletion, onboarding tips, profile setup, search results, and global navigation with no grouping or save model. | A trash page lists File 1, File 2, and File 3 with no path, deletion time, owner, or recovery deadline. |
| Good UX | A user exports their data, verifies the account email, reviews affected services and subscription handling, types the email to confirm, schedules deletion, and can cancel during the stated recovery window. | A user opens Delete workspace, reviews the object count and webhooks, cancels, and returns to the same workspace with nothing changed. | A user starts deleting acme/payments-api, mistypes the repository path, sees the mismatch, and cancels before deleting the wrong repository. | A user requests a machine-readable archive, sees which data categories are eligible for portability, waits for preparation, downloads the package before expiry, and gets a manifest listing omitted records. | A user turns off weekly digest emails, sees the setting save immediately, keeps urgent security emails enabled, and understands the workspace-level override. | A user opens Trash, filters to spreadsheets deleted this week, previews the original folder, restores one file, and gets a link to the restored location. |
| Bad UX | A user deletes an account from the wrong identity provider session because the flow hides which Google, Apple, or email account is signed in. | A user confirms deletion because OK looks like the primary next step, then discovers shared links and child reports were lost. | A user types DELETE by habit and passes the gate without checking which workspace will be removed. | A user downloads a huge ZIP with no manifest, cannot tell whether messages or attachments are missing, and assumes export completed because one file downloaded. | A user changes a privacy setting thinking it affects only one project, but the value applies to the whole account. | A user restores a shared folder but cannot find it because permissions or parent location changed silently. |
| Best fit | Users can create an account and need a self-serve or direct request path to close it and delete associated data. | A user has initiated a destructive command that can permanently remove, revoke, reset, deactivate, or cancel something valuable. | A severe action affects repository, project, workspace, account, production, security, billing, or organization-wide scope. | Users need to download or transfer a copy of account, workspace, personal, product, activity, or organization data. | Users need to inspect and change persistent app, account, workspace, privacy, notification, display, integration, device, or system behavior. | Deleted objects remain recoverable after the user leaves the original workflow. |
| Avoid when | The task is simply signing out, removing an account from one device, deleting one service, unsubscribing from email, disabling notifications, or changing a privacy preference. | The action is a routine reversible archive, hide, dismiss, move, reorder, or trash move. | The action is routine, reversible, local, or recoverable through undo or trash restore. | The user is importing records into the product; use bulk import. | The task is a one-time transaction, submission, setup wizard, or onboarding flow. | The action is immediately reversible through a short undo window and no durable recovery surface exists. |
| Required state | Discoverable account deletion entry point in account settings or a direct web deletion resource. | Idle state where the destructive command is visible but not committed. | No-typed-gate state for actions that do not need target-text escalation. | Eligible data categories and unavailable categories state. | Settings overview with categories and current values | Normal active-object state before deletion. |
| Accessibility burden | Use headings and labels that name the account and deletion action, not color or danger styling alone. | Use alertdialog semantics or platform equivalent when the destructive decision requires an immediate response. | Associate the input with a label that includes or references the required phrase. | Use persistent status text for queued, preparing, ready, partial, failed, expired, and downloaded states rather than relying on a spinner or toast alone. | Use headings, section labels, fieldsets, and persistent labels so settings groups and controls have clear programmatic names. | Expose deleted item name, type, original location, retention deadline, and restore availability as text in each row. |
| Common misuse | Offering only deactivate, disable, sign out, remove from device, unsubscribe, or contact support when users need account deletion. | Using a vague Are you sure prompt that does not name the object, count, or consequence. | Requiring users to type yes, confirm, or delete instead of the target name. | Using one Export all button with no scope, format, account, destination, date range, or size estimate. | Using settings as a dumping ground for unrelated navigation, billing, help, profile setup, onboarding, or destructive account actions. | Showing deleted objects without enough metadata to identify the right item. |