Skip to main content
Help Center
Back

Deleting your data (UK GDPR Art. 17)

How to permanently delete your account and personal data, what we keep and why, the 30-day cooling-off window, and how to cancel.

6 min read
Updated 22 days ago
For Members
gdprerasuredelete accountright to be forgottenarticle 17

Deleting your data

Under UK GDPR Article 17, you have the right to ask us to delete the personal data we hold about you. We make this self-serve from either /me/settings (Danger Zone) or /me/data ("Delete my data"), both lead to the same cooling-off flow.

What happens when you click Delete

  1. You confirm. You'll see a dialog explaining what gets deleted, what we have to keep by law, and how the 30-day window works. You'll be asked to type DELETE to confirm, this is a hard friction barrier so it doesn't happen by accident.
  2. Your account is scheduled for deletion. We do not lock you out. You can keep signing in throughout the cooling-off, that's deliberate, so cancelling is always easy. A prominent amber banner appears across the app reminding you of the deletion date with a Keep my account button.
  3. 30-day cooling-off begins. No data is erased yet. We send you an email with a one-click cancel link.
  4. You can change your mind. Click Keep my account in the banner, click the email cancel link, or open Your data (/me/data) and tap Cancel my erasure request. Your account is restored in place; no data was deleted.
  5. On day 30 the background worker walks every category and applies our deletion / pseudonymisation / retention rules (see below).

Before you can delete, two checks

  • Outstanding payments. If you're the payer on any unpaid payment request, deletion is blocked until you settle or cancel it. You'll get a prompt linking to /me/payments. (Settled financial records are still retained 7 years for HMRC.)
  • Sole guardian of a child. If you're the only guardian of a junior, we stop and ask, either add a co-guardian / transfer guardianship on the Juniors page first (recommended), or explicitly confirm that the child's records should be deleted with yours. See Deleting your account for the full guardian walkthrough.

What gets deleted (most of it)

| Category | What we do |

|---|---|

| Profile (name, email, phone, address, DOB, medical notes, emergency contacts, bio) | Scrubbed to / NULL; row retained as a stub for FK integrity |

| Membership records | Display name → "Former player"; admin notes cleared |

| Consent records | Hard deleted |

| Notifications sent to you | Recipient detached; payload walked recursively to redact your name and email from any third-party mention |

| Push subscriptions, partner preferences, availability, alert subscriptions | Hard deleted |

| Visit requests, team rosters, event attendance | Hard deleted |

| Coach record (if applicable) | Hard deleted |

| Survey responses | Anonymised (response data retained for aggregate stats; you're no longer linked to it) |

| API keys, system incidents authored | Detached / hard deleted |

What we keep, and why (Art. 17(3) carve-outs)

UK GDPR allows controllers to retain personal data when another legal basis overrides erasure. We retain:

| Category | Why | How long |

|---|---|---|

| Financial records (payments, invoices, refunds) | HMRC / Companies Act 2006 | 7 years; your name and email are scrubbed, but the financial linkage stays |

| Audit log (every action you took or that was taken on you) | Art. 17(3)(b), proof of lawful processing | 7 years; your name → where relevant |

| Acting-as audit (when you acted on someone else's behalf, or vice versa) | Art. 17(3)(b), authorisation chain integrity | 7 years |

| Safeguarding records (welfare concerns, DBS records for coaches) | Children Act 2004 / safeguarding statutory duty | Statutory retention; see the Children's Code addendum to our DPIA |

| Past game history | Other players have a legitimate interest in their own match record | Indefinite; your slot shows "Former player" so the row's still complete |

Every kept row generates an erasure_retentions audit record naming the Art. 17(3) clause and a basis note. That's our evidence trail if the ICO asks why we didn't delete something.

Backups: a small gap to disclose

Supabase (our database host) retains a 7-day point-in-time-recovery (PITR) backup of the database. Erasing your live data does not propagate into PITR backups: they age out within 7 days. So between live erasure (day 30) and full backup expiry (day 37), an extremely small theoretical risk exists that a database-level restore could reintroduce your data. We have a runbook (docs/runbooks/post-pitr-restore.md) that automatically re-erases any subjects in that case.

By day 37 at the worst case, your data is unrecoverable from any surface.

What about other clubs, other tenants?

The default ("Delete my data" on /me/data) erases everywhere on the platform: across every club, association, county or competition you've been part of. This is the cleanest path and matches what most people mean when they say "delete my account".

If you only want to leave one club but stay active on the platform, use the per-club erasure link at /me/clubs//data (or leave the club via /me/clubs first). That scopes the deletion to that one club; your other tenants are unaffected.

On behalf of a junior

If you are the active guardian of a junior, you can request the junior's erasure via /me/juniors//data. The same rules apply.

Important safeguarding block: if the junior has an active welfare hold on their account, erasure is refused at the database level. The UI will show a "contact welfare officer or dpo@badmintonclubhouse.com" message. We can't erase a record we're required by Children Act to retain.

Rate limit: once per 90 days

You can submit one erasure request per 90 days. If you cancel during cooling-off and want to re-think, you'll have a sensible gap. system_admin (the platform team) can override for ICO-ordered erasures.

How long things take

  • Deletion runs: within 5 minutes after day 30 (the dispatcher cron polls every 5 min).
  • Email delivery (cancel link, completion): within a few minutes.
  • Backup expiry: 7 days post-erasure.

What we email you

  • Erasure request received: confirmation + 30-day cancel link.
  • Erasure cancelled: if you click cancel or sign back in.
  • Erasure completed: confirmation of completion (where you still have an inbox to receive it).

If something goes wrong

Erasure failures are rare but possible (constraint violations, etc.). When they happen, the row stays failed and the DPO is notified to triage. You'll receive an email; you can also email dpo@badmintonclubhouse.com at any time.

Tenant-fulfilled erasure

If you receive an email saying "an administrator at has requested erasure of your data", that means a committee member (DPO function, with the gdpr.erasure permission) lodged a request on your behalf, usually because you asked in writing, or because the club received a paper request. The email includes the same 30-day cancel link. If you didn't ask for this, reply to the email, we treat unexpected admin requests as a potential safeguarding incident.

See also

Was this article helpful?