How do I delete my account and export my data?

When to read this article

You're considering deleting your TaxItEasy account, or you've already clicked Delete and want to understand what's happening. The deletion is a real, hard erasure (crypto-shredded after 30 days), so the order matters: export first, then delete.

If you only want to stop paying but keep the option to come back, downgrade to Free instead — see switch or cancel your plan. Free is the "cancelled" state and keeps your data. Deletion is the irreversible step.

If you want to exercise GDPR rights without account deletion (right of access, rectification, restriction, portability, objection), see your GDPR rights as a user.

Step 1 — export your data first

This is the step people regret skipping. Before you click Delete, get a copy of everything.

Run an export from Settings → Export. Pick a date range covering everything you want to keep (typically "all time" — leave the from-date empty or pick the date you signed up). Click Export. For accounts with thousands of documents the export runs as a background job and you'll get a notification when it's ready, typically within a few minutes.

The export contains every document, all extracted fields, your bank-match history, and signed URLs to download the original files. After deletion, this export is the only complete record you'll have. There is no "undelete after day 31" — the data is gone, not in our backups, not retrievable by emailing support. See export your records for year-end for the full export walk-through.

Save the export somewhere you'll actually find it later — your password manager's secure notes, encrypted cloud storage, a personal NAS. The signed URLs in the JSON to download original files stay valid for 7 days from export generation; download the originals separately if you want them long-term.

Step 2 — delete the account

1. Open Settings → Account → Delete account.
2. Read the confirmation screen. It lists what will be deleted (documents, invoices, transactions, exports, advisor connections, OAuth integrations, email-forwarding address, 2FA recovery codes, audit logs scoped to your account except those required for legal compliance).
3. Type your account email address in the confirmation field — this protects against accidental clicks. Misspelling rejects the deletion.
4. Click Yes, delete my account.
5. Your account is immediately deactivated: no more logins, no more billing charges, your u-…@in.taxiteasy.org inbound address stops accepting mail, OAuth tokens are revoked at Google / Microsoft / Stripe, your bank connections are dropped, any active sessions on other devices are invalidated, any tax-advisor connections are severed.

You'll get a confirmation email from [email protected] with a Restore my account link valid for 30 days. Save that email if there's any chance you'll change your mind.

The 30-day grace period

You have 30 calendar days from the click-Delete moment to either:

• Restore the account — click the Restore my account link in the confirmation email. Your account comes back exactly as it was: same data, same documents, same plan, same OAuth integrations (you'd need to re-grant the OAuth scopes since tokens were revoked, but the historical data stays).
• Or do nothing — on day 31, the deletion finalises.

During the 30 days, your data is still encrypted and stored in Frankfurt. It's just not accessible — login is blocked, your u-… forwarding address rejects new mail, bank connections are dropped, tax advisor links are severed. This window exists because account deletion is often a regrettable click triggered by a frustrating moment, and we'd rather let you change your mind than treat one annoyed click as a final decision.

The 30-day window is fixed; we don't extend it on request, partly because the predictable boundary is what makes the GDPR-Article-17 deletion timely (statutory expectation is "without undue delay") and partly because an extendable grace period would defeat the point.

Day 31 — crypto-shredding

On day 31, the encryption key tied to your account is destroyed. Every document, every invoice, every receipt, every bank transaction, every OCR result, your 2FA secret, your hashed password, any encrypted OAuth tokens, every audit-log entry that referenced your data — all become mathematically unreadable. For us. For our staff. For our backups. Forever.

This is "crypto-shredding": deletion enforced by key destruction rather than by best-effort row-deletion across the database. The data still exists as ciphertext until the natural rotation cycle of our infrastructure clears it, but without the encryption key it's worthless noise. A future court order, a future security incident, or a future change of policy on our side cannot recover it — the cryptographic problem of decrypting AES-256 ciphertext without the key is mathematically infeasible.

This satisfies GDPR Article 17 ("right to erasure") cryptographically rather than by best-effort database scrubbing. It's the strongest form of erasure currently available for cloud-hosted data.

For the encryption design behind crypto-shredding (the MEK/UEK/DEK envelope structure that makes per-account key destruction sufficient), see how our encryption works, in plain English.

What survives deletion

A small number of records survive because they're required by law to survive:

• Financial-trail audit entries required under §147 AO / §257 HGB (German Tax Code / Commercial Code, 10-year retention) and equivalent laws in other EU jurisdictions. These are pseudonymised: your email is anonymised, but the financial-trail record (timestamp, document hash, the fact a payment was processed) stays so we can answer a tax-authority audit years later. We can't tell who the user was from the surviving record.
• Sub-processor billing records at Stripe. Stripe keeps its own records of transactions for its own tax and compliance reasons; we can't delete those from Stripe's side. If you want Stripe to also erase its records, that's a separate GDPR request to Stripe ([email protected]).
• Aggregate analytics (anonymous usage counts, no per-user attribution) that we use for capacity planning. These contain no per-user data; nothing about you specifically is recoverable from them.

Everything else is crypto-shredded. The full list of what's deleted vs what survives is on the confirmation screen.

GDPR rights without account deletion

If you don't want to delete the whole account but want to exercise other GDPR rights:

• Right of access (Art. 15) — Export from Settings → Export, or write to [email protected] for a structured DPO-issued copy.
• Rectification (Art. 16) — Edit fields directly in the app, or contact dpo@ for fields you can't edit yourself.
• Restriction (Art. 18) — [email protected]. Suspends processing without deleting.
• Objection (Art. 21) — [email protected]. Specific to processing for legitimate-interest purposes.
• Portability (Art. 20) — [email protected] for a structured, commonly-used, machine-readable format (JSON, same as the export, but with a DPO sign-off).

All Article-15–22 requests come with a statutory 30-day resolution SLA. We aim for first acknowledgement within 2 working days. See your GDPR rights as a user for the full rights list.

Troubleshooting

I deleted by mistake — it's been 35 days. Sorry, the data is gone after day 31. The crypto-shredding is mathematical, not policy. Restore is impossible; we can't recover what we no longer have the key for. The export you took before deletion (you did, right?) is the only copy.

My subscription was active when I deleted — am I refunded? Your subscription auto-cancels on deletion. You're not charged for the next cycle. Refunds for the current cycle follow our standard refund policy on /pricing#faq: if something is broken on our side, we refund; for change-of-mind cancellations, the period runs to end. Write to [email protected] with [BILLING] in the subject if you think your case qualifies.

My tax advisor still has access — does deleting also remove their access? Yes. The tax advisor's link to your company is severed the moment you click Delete; they can't see your data during the grace period either. On day 31, the data they previously had access to is crypto-shredded the same as everything else. Their own account and any other client connections stay intact — only the connection to your deleted account is removed.

I'm a tax advisor — what about my view of clients who delete their accounts? A deleted client immediately disappears from your Clients dashboard. Your own account and other client connections stay intact. If the client restores their account within 30 days, they reappear in your dashboard; if they don't, they're gone for good.

Can I delete some data without deleting the account? Yes, but not in one click. Individual documents can be deleted from the Documents page (the document is hard-deleted; quota is not refunded). For bulk deletes, use the multi-select on Documents and Bulk delete. For specific GDPR rectification or restriction requests on data you can't directly edit, contact [email protected].

I want to delete the account but keep one specific document for legal reasons. Export that document separately (Documents → open document → Download original) before clicking Delete. Then proceed with deletion. The exported PDF / image is yours; it's no longer in our system but you have your own copy.

I'm GDPR-deleting from outside the EU. GDPR rights apply to any data subject whose data is processed by an EU establishment regardless of their physical location. We process EU citizens' data and apply Article 17 to all account deletions equally; it doesn't matter where you sign in from.

Related

• Export your records for year-end — do this first
• Where is my data stored? — the residency + encryption context
• How our encryption works, in plain English — why crypto-shredding works
• Your GDPR rights as a user — alternatives to full deletion
• Switch or cancel your plan — stop paying without deleting