| UI or UX | UI + UX - Anti-pattern where account deletion or associated data erasure is hidden, disguised, obstructed, or committed without a fair account-level review | UI + UX - Account-level closure and associated personal data deletion workflow | UI + UX - Final destructive commit review | UI + UX - Exact target phrase gate before severe commit | UI + UX - User or administrator workflow for selecting, preparing, securing, downloading, transferring, and verifying data export packages | UI + UX - Durable privacy-control surface for account, product, device, app-access, activity, visibility, and sharing settings |
| UI guidance | Do not hide Delete account behind FAQ search, support email, unrelated privacy copy, tiny footer links, inactive controls, deactivation labels, or data-export screens when users need an account deletion route. | Render delete account as a discoverable account-settings workflow that names the signed-in account, affected services, associated data, retained data, subscriptions, linked sign-in methods, recovery window, and final deletion status. | Render a destructive confirmation after the user invokes a destructive command, with a title and final action button that repeat the destructive verb and target, such as Delete workspace or Cancel subscription. | Render a visible non-secret text field inside a destructive or high-consequence confirmation, labelled with the exact target phrase the user must type before the final action enables. | Render data export as a job-based workflow with export scope, data categories, format, destination, estimated size, preparation status, expiry, security requirements, and download or transfer actions. | Render privacy settings as a returnable control surface with current effective values, privacy categories, data types, app or service access, account/device/product scope, source of truth, managed or unavailable reasons, last updated status, and save or immediate-apply feedback. |
| UX guidance | Treat concealed or disguised account deletion as an anti-pattern because it blocks users from closing an identity-bearing account and understanding what happens to associated personal data. | Use delete account when users need to close an identity-bearing account and remove or request removal of associated personal, profile, authentication, app, subscription, and service data. | Use destructive action confirmation to create one informed stop before permanent or externally visible loss, not to slow every routine cleanup action. | Use typed confirmation only when reproducing the target phrase meaningfully reduces severe wrong-object or wrong-scope mistakes, such as deleting a repository, project, account, workspace, production dataset, or root credential. | Use data export when users need a portable copy of personal, account, workspace, product, activity, or organization data for reuse, compliance, migration, backup, or review. | Use privacy settings when users need to inspect and change ongoing privacy posture for saved activity, profile visibility, app access, device permissions, data sharing, ad personalization, location, connected apps, or product privacy dashboards. |
| Good UI | Account settings contains a visible Delete account entry that opens a review naming maya.chen@example.com, affected services, data categories, retained records, linked apps, billing, export first, and the request status. | An account settings page shows Delete account for maya.chen@example.com, lists profile, projects, messages, connected apps, subscriptions, and retained invoices, offers Download data first, then schedules deletion with a 14-day cancel window. | Delete Payments project? lists 4 dashboards, 12 saved views, 3 webhooks, and 8 shared links, offers Keep project, and labels the danger action Delete Payments project. | Delete repository acme/payments-api? requires typing acme/payments-api, shows a mismatch until the exact path matches, and then enables Delete repository. | A privacy dashboard lets a user choose activity, profile, files, messages, and billing categories, shows JSON or CSV availability, requires reauthentication, creates archive EXP-2048, then shows download expiry and checksum. | An account privacy dashboard groups Saved activity, Profile visibility, Ad personalization, Connected apps, Location history, Device permissions, and Data deletion, with current values, scope labels, last updated times, and unavailable reasons. |
| Bad UI | The app offers only Deactivate account and keeps profile data, tokens, messages, and personal data active. | A page offers only Deactivate account, tells users to email support, and never says whether profile data, authentication records, subscriptions, or linked apps are deleted. | A modal says Are you sure? with OK and Cancel after the user clicks Delete, without naming the project or what disappears. | A dialog asks users to type YES before deleting a workspace, so the text does not verify the target object. | A button says Export all data but does not say which services, formats, accounts, dates, or unavailable records are included. | A Privacy page links only to a legal policy and has no controls for activity history, public profile fields, personalization, app access, or data sharing. |
| Good UX | A user finds Delete account from settings, downloads data, verifies identity, reviews retained invoices and linked apps, submits deletion, and later checks request status. | A user exports their data, verifies the account email, reviews affected services and subscription handling, types the email to confirm, schedules deletion, and can cancel during the stated recovery window. | A user opens Delete workspace, reviews the object count and webhooks, cancels, and returns to the same workspace with nothing changed. | A user starts deleting acme/payments-api, mistypes the repository path, sees the mismatch, and cancels before deleting the wrong repository. | A user requests a machine-readable archive, sees which data categories are eligible for portability, waits for preparation, downloads the package before expiry, and gets a manifest listing omitted records. | A user pauses saved activity, clears search history for a date range, disables ad personalization, hides birthday visibility, revokes a connected app, and sees which values apply immediately versus after sync. |
| Bad UX | A user searches settings for deletion, finds only Sign out and Deactivate, and leaves personal data in the service because the deletion path is concealed. | A user deletes an account from the wrong identity provider session because the flow hides which Google, Apple, or email account is signed in. | A user confirms deletion because OK looks like the primary next step, then discovers shared links and child reports were lost. | A user types DELETE by habit and passes the gate without checking which workspace will be removed. | A user downloads a huge ZIP with no manifest, cannot tell whether messages or attachments are missing, and assumes export completed because one file downloaded. | A user turns off location sharing in account privacy settings, but the device-level location permission remains active and the page never explains the split. |
| Best fit | Auditing a product that supports account creation and may be hiding, obstructing, disguising, or underspecifying account deletion. | Users can create an account and need a self-serve or direct request path to close it and delete associated data. | A user has initiated a destructive command that can permanently remove, revoke, reset, deactivate, or cancel something valuable. | A severe action affects repository, project, workspace, account, production, security, billing, or organization-wide scope. | Users need to download or transfer a copy of account, workspace, personal, product, activity, or organization data. | Users need ongoing control over personal data collection, saved activity, visibility, app access, device permissions, connected services, data sharing, or personalization. |
| Avoid when | The account deletion workflow is already discoverable and complete; use delete account. | The task is simply signing out, removing an account from one device, deleting one service, unsubscribing from email, disabling notifications, or changing a privacy preference. | The action is a routine reversible archive, hide, dismiss, move, reorder, or trash move. | The action is routine, reversible, local, or recoverable through undo or trash restore. | The user is importing records into the product; use bulk import. | The task is a first-time opt-in to one optional purpose; use consent prompt. |
| Required state | Hidden settings state where Delete account is absent or buried behind unrelated privacy/support copy. | Discoverable account deletion entry point in account settings or a direct web deletion resource. | Idle state where the destructive command is visible but not committed. | No-typed-gate state for actions that do not need target-text escalation. | Eligible data categories and unavailable categories state. | Privacy settings overview with categories and current effective values. |
| Accessibility burden | Do not rely on tiny footer links, hidden accordions, hover-only help, exact search text, color-only danger styling, or disabled controls to expose account deletion. | Use headings and labels that name the account and deletion action, not color or danger styling alone. | Use alertdialog semantics or platform equivalent when the destructive decision requires an immediate response. | Associate the input with a label that includes or references the required phrase. | Use persistent status text for queued, preparing, ready, partial, failed, expired, and downloaded states rather than relying on a spinner or toast alone. | Use clear headings, labels, descriptions, and status text for each privacy category and control. |
| Common misuse | Hiding account deletion in a privacy policy, FAQ, support article, or exact-match help search. | Offering only deactivate, disable, sign out, remove from device, unsubscribe, or contact support when users need account deletion. | Using a vague Are you sure prompt that does not name the object, count, or consequence. | Requiring users to type yes, confirm, or delete instead of the target name. | Using one Export all button with no scope, format, account, destination, date range, or size estimate. | Replacing privacy settings with a privacy policy link or legal notice. |