Practical scenario
What Happens to Your Data When You Close an Account
Closing or deleting an account is not the same as erasing your data. Here is what usually happens behind the scenes, and how to ask for more under UK GDPR if you want to.
In short
Closing an account usually deactivates your access, but the organisation may keep some of your personal data for a time — for legal, accounting, or security reasons. To have it removed sooner, you can make an erasure request under UK GDPR. The controller must respond, though some data may lawfully be retained.
Closing an account and deleting your data are two different things
When you close or delete an account, the most visible change is that you can no longer log in. Your profile may disappear from view, and the service may tell you the account is gone. That is the part you can see. What happens to the underlying personal data is a separate question, and the answer is often less tidy than the word delete suggests.
Most organisations distinguish between deactivating your access and actually erasing the records they hold about you. Some data may be removed quickly, some may be kept for a defined period, and some may be retained in backups or logs that are not deleted on the same schedule as the live account. None of this is necessarily a problem. Under the UK GDPR, an organisation is allowed to keep personal data only for as long as it has a lawful reason, and it should tell you how long that is in its privacy notice.
This article is general information, not legal advice. It is written around UK GDPR and the Information Commissioner's Office (ICO), the UK's data protection regulator. The same principles broadly apply elsewhere, but the exact rules and time limits depend on where you and the organisation are based.
How to find out and ask for erasure
If you want to understand what an organisation keeps after you leave, or you would like your data removed sooner than its standard retention period, you can ask. You have two distinct rights here: the right to be told what is held about you, and the right to ask for erasure. Working through them in order keeps things calm and clear.
Keep in mind that erasure is a qualified right, not an absolute one. A controller may lawfully retain some information after you close your account, for example to meet a legal or tax obligation, to defend a legal claim, or to keep a suppression record so it does not contact you again. A clear, polite request still moves things forward.
- Read the organisation's privacy notice or account-closure page first. It usually states what is kept after closure and for how long.
- If you want the full picture, make a data subject access request (a DSAR) to ask what personal data the organisation still holds about you.
- To have data removed, send a written erasure request, sometimes called the right to be forgotten, naming the account and the email address it used.
- Ask the controller to confirm in writing what has been erased and what, if anything, it is keeping, along with the lawful reason.
- If a month passes with no adequate response, you can follow up, and ultimately raise a concern with the ICO.
What organisations may keep, and why
Retention after account closure is normal and often required. An online shop may need to keep order and payment records for several years to satisfy tax law. A platform may keep a minimal record of your email address on a suppression list precisely so it does not accidentally re-add you to marketing. Security and fraud-prevention logs may persist for a defined window. In each case the organisation should be able to point to a lawful basis and a retention period.
What an organisation should not do is keep your personal data indefinitely with no reason, or carry on using a closed account's data for new purposes such as fresh marketing. If the privacy notice is vague, that is a fair thing to ask about. A good controller will give you a straight answer about what survives closure and when it is finally deleted.
OSINTA can help you see this picture for yourself and prepare the requests, but you stay in control of every decision. The system suggests; you decide whether to send anything, and to whom.
Frequently asked questions
Does deleting my account erase all my data immediately?
Usually not. Deleting an account typically removes your access and hides your profile, but the organisation may keep some records for a defined period for legal, accounting, or security reasons, and copies may persist in backups for a while. To have data removed sooner, you can make an erasure request under UK GDPR.
Can a company refuse to delete my data after I close my account?
Sometimes, in part. Erasure is a qualified right, so a controller can lawfully keep certain data, for example to meet a tax obligation, defend a legal claim, or maintain a suppression record. It should tell you what it is keeping and why. It cannot keep everything indefinitely with no lawful reason.
How do I ask what data is still held after I close an account?
Make a data subject access request, often shortened to a DSAR, to the organisation. This asks it to tell you what personal data it still holds about you. It is a separate right from erasure, and it is a useful first step before deciding whether to ask for anything to be deleted.
Does OSINTA delete my account or data for me?
No. OSINTA is self-only and helps you understand your own footprint and prepare your own requests. It does not remove data on your behalf or guarantee any outcome. You decide what to send and to whom, and the organisation that holds your data decides how to respond.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Want to act on what you leave behind?
See how a clear access or erasure request works, and prepare your own when you are ready.