How account & data deletion works
Article 17 of the GDPR gives you the right to have personal data erased on request. This page explains the exact mechanism Buronia uses, in plain language. The legal text is intentionally one authoritative English version — translating binding legal copy without a country lawyer reviewing it would be irresponsible.
Effective 2026-05-01. Last reviewed by Buronia DPO Victor Cheng.
The one-click route (recommended)
- Sign in to your dashboard with the email you signed up with.
- Scroll to the red "Delete my account & data" card at the bottom.
- Click it. We show you the exact list of records about to be wiped (drafts, uploads, pending applications, sign-in tokens, waitlist entries) and the legally required exceptions we have to keep.
-
Type
DELETEin capital letters. We require deliberate typing rather than a single click so a fat-fingered submit cannot wipe an account. -
Press Permanently delete my account. Within seconds:
- Your
usersrow is gone. - Every draft you started is gone.
- Every uploaded document blob is unlinked from disk (unless another account also uploaded the byte-identical file — in that case the blob stays for them, but your reference is removed).
- Every pending application waiting on email verification is gone.
- Every magic sign-in token tied to your email is gone.
- Every waitlist row tied to your email is gone.
- Your login cookie and session are cleared on the response.
- Your
- You see a confirmation page that says "Your account is gone." That is the legal moment of erasure.
The email route (for users who can't sign in)
If you've lost access to the email you signed up with, write to dpo@buronia.com with the subject line "Erasure request" from any address that can prove the original was yours. We acknowledge within 72 hours and complete erasure within 30 days, per Art. 12(3).
What we keep, and why
A handful of records are exempted from erasure because we are legally required to keep them. This is the complete list:
| What we keep | For how long | Why |
|---|---|---|
| Stripe transaction ID + invoice number | 10 years | EU member-state accounting law (the harmonised baseline; some countries require 6, the longest is Germany at 10). |
| The amount and date of each payment | 10 years | Same — accounting law. |
| A redacted audit log entry "user X erased on date Y" | 3 years | So that we can prove to a supervisory authority that we honoured your erasure request, in the unlikely event of a complaint or audit. The entry holds no personal data — just the fact that erasure happened. |
Notably, we do not keep: your name, your address, your benefit answers, your draft text, the contents of any letter you uploaded, any OCR output, your chat or support history.
What about Stripe and other sub-processors?
Stripe holds payment records on its own legal basis (also accounting law). To exercise erasure of payment records on the Stripe side, you contact Stripe directly — see stripe.com/privacy. Resend (our email sender) holds the magic-link delivery log for 30 days; deleting your account immediately stops new entries from being created. The full list of sub-processors and what each one sees is on the sub-processors page.
Where to complain if we get this wrong
If you believe Buronia has not honoured your erasure request, you have the right to complain to the data-protection supervisory authority of your country. We are happy to be wrong about something specific — but we want you to also know that the authority is the final arbiter, not us. Below is the supervisory authority for every country Buronia operates in:
| Country | Supervisory authority | Website |
|---|---|---|
| 🇦🇹 Austria | Datenschutzbehörde (DSB) | dsb.gv.at |
| 🇧🇪 Belgium | Gegevensbeschermingsautoriteit / Autorité de protection des données (APD/GBA) | autoriteprotectiondonnees.be |
| 🇧🇬 Bulgaria | Комисия за защита на личните данни (КЗЛД) | cpdp.bg |
| 🇭🇷 Croatia | Agencija za zaštitu osobnih podataka (AZOP) | azop.hr |
| 🇨🇾 Cyprus | Επίτροπος Προστασίας Δεδομένων Προσωπικού Χαρακτήρα | dataprotection.gov.cy |
| 🇨🇿 Czechia | Úřad pro ochranu osobních údajů (ÚOOÚ) | uoou.cz |
| 🇩🇰 Denmark | Datatilsynet | datatilsynet.dk |
| 🇪🇪 Estonia | Andmekaitse Inspektsioon (AKI) | aki.ee |
| 🇫🇮 Finland | Tietosuojavaltuutetun toimisto | tietosuoja.fi |
| 🇫🇷 France | Commission nationale de l'informatique et des libertés (CNIL) | cnil.fr |
| 🇩🇪 Germany | Federal: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI). State: each Bundesland has its own DPA — start with BfDI, they refer. | bfdi.bund.de |
| 🇬🇷 Greece | Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (HDPA) | dpa.gr |
| 🇭🇺 Hungary | Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) | naih.hu |
| 🇮🇪 Ireland | Data Protection Commission (DPC) | dataprotection.ie |
| 🇮🇹 Italy | Garante per la protezione dei dati personali | garanteprivacy.it |
| 🇱🇻 Latvia | Datu valsts inspekcija (DVI) | dvi.gov.lv |
| 🇱🇹 Lithuania | Valstybinė duomenų apsaugos inspekcija (VDAI) | vdai.lrv.lt |
| 🇱🇺 Luxembourg | Commission nationale pour la protection des données (CNPD) | cnpd.public.lu |
| 🇲🇹 Malta | Information and Data Protection Commissioner (IDPC) | idpc.org.mt |
| 🇳🇱 Netherlands | Autoriteit Persoonsgegevens (AP) | autoriteitpersoonsgegevens.nl |
| 🇵🇱 Poland | Urząd Ochrony Danych Osobowych (UODO) | uodo.gov.pl |
| 🇵🇹 Portugal | Comissão Nacional de Proteção de Dados (CNPD) | cnpd.pt |
| 🇷🇴 Romania | Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) | dataprotection.ro |
| 🇸🇰 Slovakia | Úrad na ochranu osobných údajov SR | dataprotection.gov.sk |
| 🇸🇮 Slovenia | Informacijski pooblaščenec (IP) | ip-rs.si |
| 🇪🇸 Spain | Agencia Española de Protección de Datos (AEPD) | aepd.es |
| 🇸🇪 Sweden | Integritetsskyddsmyndigheten (IMY) | imy.se |
You may also lodge a complaint with the lead supervisory authority under the GDPR's "one-stop-shop" mechanism (Art. 56) — Buronia's lead authority is the Finnish Tietosuojavaltuutettu, since our main establishment is in Finland.
Behaviour after deletion
- If you sign in again with the same email later, a brand-new account is created on first use, with nothing carried over from the old one.
- You will not appear in any future export, backup, or analytics aggregate of users — the wipe is at the row level, not a soft-delete flag.
- Any subsequent magic-link request for that email creates a fresh user row at first verification.
Open the deletion page now
Sign in to delete your account →
Contact
Questions about this page or the deletion mechanism — write to dpo@buronia.com. The DPO answers all data-rights mail directly.